The Joker family of malware has been infecting apps on Google’s Play Store for the last few years, but this is the first instance of it cropping up on Huawei’s platform. Huawei users are currently unable to access the Google Play Store due to US trade sanctions, and instead use the company’s in-house AppGallery platform.
“Doctor Web malware analysts come across new versions and modifications of these [Joker] trojans almost daily. They were formerly seen most often on the official Android app store―Google Play. The attackers, however, have apparently decided to expand the scale of their activity and shift their attention to alternative catalogs supported by major players on the mobile device market,” noted the researchers at antivirus company Doctor Web who uncovered the threat..
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
The researchers found the malware masquerading inside ten seemingly harmless apps in AppGallery. While the apps functioned as advertised, they conducted the unscrupulous activity in the background.
Analysis of the malicious code revealed that once activated inside the app, it would connect to a command and control (C2) server to receive additional configurations and components. These were then used to surreptitiously subscribe users to premium mobile services.
In order to intercept and respond to any confirmation code delivered via SMS by the subscription service, the infected apps would request access to notifications.
The researchers observed that while the malware in this latest campaign subscribed the users to a maximum of five services, there was nothing that prevented the threat actors from upping this number any time they wished.
A majority of the apps were developed by a single developer, while two came from another one. In all, the researchers note, over half a million copies of the apps were downloaded by the time Huawei removed them from AppGallery after being intimidated by the researchers.