Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Joker Android Trojan Lands in Huawei AppGallery App Store

Ten variants of the Joker Android Trojan managed to slip into the Huawei AppGallery app store and were downloaded by more than 538,000 users, according to new data from Russian anti-malware vendor Doctor Web.

Ten variants of the Joker Android Trojan managed to slip into the Huawei AppGallery app store and were downloaded by more than 538,000 users, according to new data from Russian anti-malware vendor Doctor Web.

Also known as Bread, the Joker Trojan was first observed in 2017 when it was originally focused on SMS fraud. Last year, the malware was observed performing billing fraud, with thousands of infected applications identified and removed by Google.

This family of Potentially Harmful Applications (PHAs), which is known for subscribing users to premium mobile services, has previously targeted Android users through Google Play, but it appears that that malware’s operators have shifted attention to additional app stores.


With Huawei currently being the fourth smartphone maker in terms of market share, at roughly 9 percent, it’s no surprise that the cybercriminals behind the Joker have chosen AppGallery to distribute their malware.


Disguised as harmless applications, the Trojan’s modifications would work as expected when launched, thus avoiding rising suspicion. Observed apps include “virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game,” the company said.


Advertisement. Scroll to continue reading.

The Trojan’s variations feature multiple components capable of executing a variety of tasks. While only basic Trojan modules that feature minimal functionality are installed through the initial executable, additional components are downloaded from the Internet, to expand the threat’s functionality.


While the user is delivered a full-fledged app, in the background the Trojan connects to the command and control (C&C) server to fetch the necessary configuration and components.


The malware automatically subscribes the user to premium mobile services, while the permissions that the decoy application asks for allow it to intercept incoming SMS messages containing the necessary subscription codes.


The apps set a limit on the number of premium services that can be successfully activated for each user. Subscriptions are successful only if the infected device is connected to the Internet through a mobile network. Thus, the Trojan attempts to terminate active Wi-Fi connections.


Doctor Web’s security researchers also warn that the Trojan also sends the contents of all notifications about incoming SMS messages to the C&C server, which could lead to data leaks.


After being alerted to the identified malicious apps, Huawei took a series of measures to prevent further downloads.


Related: Fake Netflix App Luring Android Users to Malware

Related: Facebook Disrupts Chinese Spies Using iPhone, Android Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.