More than 500.000 Huawei users were "infected" by Joker malware, after downloading "infected" applications from the company's official Android store. Joker malware is one malicious code which appears as a system application and allows attackers to perform a wide range of malicious actions, including disabling the service Google Play Protect, install malware, create fake reviews, and display ads. This malware can also steal SMS messages, contact lists and device information, as well as register victims in premium service subscriptions.
Experts from Doctor Web, an antivirus protection company, discovered ten applications in AppGallery that contained the malicious code. A post published by Doctor Web states the following: Doctor Web virus analyzers have uncovered the first malware in AppGallery - the official app store from Android device maker Huawei. They proved to be dangerous Android. Joker trojans that work mainly to register users in premium mobile services. In total, our experts discovered that 10 modifications of these trojans have been found in AppGallery, with more than 538.000 users having installed them. "
To keep users "in the dark" infected applications requested access to notifications, which allowed them to steal confirmation codes delivered via SMS from the subscription service.
According to the researchers, the malware could register a user in a maximum of five services, although malicious agents could modify that number at any time.
The list of malicious applications included virtual keyboards, a camera application, a launcher, an online messenger, a collection of stickers, coloring programs, and a game.
Most of them came from a developer (Shanxi Kuailaipai Network Technology Co., Ltd.). Doctor Web informed Huawei about these applications and the company removed them from AppGallery. While new users can no longer download them, those who already have applications running on their devices must perform a manual cleanup.
According to the researchers, the same modules that were downloaded from the infected applications in AppGallery, existed in other applications on Google Play, used by other versions of Joker malware.
The history of Joker malware began in 2017, with it constantly being in applications distributed through the Google Play store. In October 2019, Tatyana Shishkova, Android malware analyst at Kaspersky, tweeted about more than 70 applications from the official store that owned the malware. And reports of malware on Google Play continued. In the early 2020s, Google announced that by 2017, it had removed approximately 1.700 applications who had been infected by the Joker. Last February, the Joker was still in the store and continued to bypass Google's defense, even in July last year.
Source of information: bleepingcomputer.com