Ten variants of the Joker Android Trojan managed to slip into the Huawei AppGallery app store and were downloaded by more than 538,000 users, according to new data from Russian anti-malware vendor Doctor Web.
Also known as Bread, the Joker Trojan was first observed in 2017 when it was originally focused on SMS fraud. Last year, the malware was observed performing billing fraud, with thousands of infected applications identified and removed by Google.
This family of Potentially Harmful Applications (PHAs), which is known for subscribing users to premium mobile services, has previously targeted Android users through Google Play, but it appears that that malware’s operators have shifted attention to additional app stores.
With Huawei currently being the fourth smartphone maker in terms of market share, at roughly 9 percent, it’s no surprise that the cybercriminals behind the Joker have chosen AppGallery to distribute their malware.
Disguised as harmless applications, the Trojan’s modifications would work as expected when launched, thus avoiding rising suspicion. Observed apps include “virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game,” the company said.
The Trojan’s variations feature multiple components capable of executing a variety of tasks. While only basic Trojan modules that feature minimal functionality are installed through the initial executable, additional components are downloaded from the Internet, to expand the threat’s functionality.
While the user is delivered a full-fledged app, in the background the Trojan connects to the command and control (C&C) server to fetch the necessary configuration and components.
The malware automatically subscribes the user to premium mobile services, while the permissions that the decoy application asks for allow it to intercept incoming SMS messages containing the necessary subscription codes.
The apps set a limit on the number of premium services that can be successfully activated for each user. Subscriptions are successful only if the infected device is connected to the Internet through a mobile network. Thus, the Trojan attempts to terminate active Wi-Fi connections.
Doctor Web’s security researchers also warn that the Trojan also sends the contents of all notifications about incoming SMS messages to the C&C server, which could lead to data leaks.
After being alerted to the identified malicious apps, Huawei took a series of measures to prevent further downloads.