More than 500,000 Huawei smartphone users have downloaded applications infected with the Joker malware that incidentally subscribes them to premium mobile services.

Dubbed “the malware that signs you up for pricey services”, Joker has been flooding Android markets for the last few years. In general, the Joker malware family infects apps on Google’s Play Store, but this is the first case of it occurring on Huawei’s platform. Due to US trade sanctions, Huawei users are currently unable to access the Google Play Store and use the company’s in-house AppGallery platform instead.

According to Dr. Web security researchers, the malware was found inside ten apparently harmless apps in the AppGallery. While the apps functioned as advertised, they conducted fraudulent activity in the background.

Doctor Web’s virus analysts have uncovered the first malware on AppGallery―the official app store from the Huawei Android device manufacturer. They turned out to be dangerous Android.Joker trojans that function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto AppGallery, with more than 538,000 users having installed them.


Once activated inside the app, the Joker malware would connect to a command and control (C2) server to receive additional configurations and components. After that, they are used to stealthily subscribe users to premium mobile services.

To intercept and respond to any confirmation code delivered via SMS by the subscription service, the infected apps would request access to notifications.

Dr. Web researchers noted that while in this campaign the malware subscribed the users to up to five services, there was nothing that prevented the attackers from increasing this number any time they wished.

The downloaded trojan module is detected by Dr.Web as Android.Joker.242.origin. The same virus record successfully detects other similar modules downloaded by all 10 new malware modifications. Moreover, the same modules were used by some other versions of the Android.Joker, which were spread, among other places, on Google Play, for example, by apps such as Shape Your Body Magical Pro, PIX Photo Motion Maker, and others.


Huawei joker malware attack

Image Source: Dr. Web

Researchers say that the modules downloaded by the compromised apps in AppGallery were also in other apps on Google Play Store, used by other versions of Joker malware. Feel free to check out the complete list of indicators of compromise here.

Once active, the malware communicates to its remote server to get the configuration file, which contains a list of tasks, websites for premium services, JavaScript that mimics user interaction.

According to Doctor Web, these apps have been removed from AppGallery. While new users can no longer download them, those that already have the apps running on their devices need to run a manual cleanup.

By the time Huawei removed them from AppGallery, over half a million copies of the apps were downloaded.

New Powerful Android Malware Disguised as System Update is Attacking Android Phones

Android Permissions Can Be Dangerous: Full Guide to Managing Them

Android Malware: Your Mobile Device Isn’t Safe from Hackers

Leave a Reply

Your email address will not be published. Required fields are marked *