Over 538,000 Huawei Android devices infected with Joker malware

According to a security research report released by security software developer Dr.Web, a variety of tools and games with malicious modules appeared in Huawei’s official app store.

Huawei AppGallery is an app store developed by Huawei for its Android devices, providing users with a wealth of software and games.

The various software with malicious modules that appeared this time is popular. Similar software appeared in Google Play Store before, but the malicious module version is slightly different.

These malware developers are the Shanxi kuailaipai network technology co., ltd. They mainly use normal software mixed with malicious code to send SMS subscription value-added services.

Analysis shows that Shanxi kuailaipai network technology co., ltd has submitted 10 software in the AppGallery app store, and the number of downloads of this software in the AppGallery app store market has exceeded 538,000.

The method used is to add malicious modules to normal software. After downloading, users will find that this software can be used normally but request notification and SMS permissions.

When the user grants these permissions, the malicious module will quietly send value-added service SMS for ordering. In order to prevent the user from discovering the malicious module, the ordering SMS will be deleted.

In addition, there may be concerns that users find that phone charges are decreasing too quickly. The developer Shanxi kuailaipai network technology co., ltd also limits the number of services per-user subscription to five, but the developer can modify the limit at any time.

The source found that this malicious module named Jocker can be traced back to 2017. In 2019, Kaspersky found 70 apps with this module.

The security report released by Google in 2020 showed that more than 1,700 Joker-infected software has been deleted since 2017, but the virus is still active.

When the user installs the malicious module, it automatically activates and connects to the remote server to obtain configuration files, including task lists, paid service websites, and simulated interactive codes.

Huawei has confirmed that “After receiving an alert from Doctor Web, Huawei hid the trojans in the AppGallery store to protect users. The company will conduct an additional investigation to minimize the risks of such apps appearing in the future.”