Doctor Web experts have discovered malware in the official app store for Huawei devices, AppGallery, multifunctional Trojans of the Android.Joker that subscribe users to paid mobile services.
In total, experts found 10 modifications of these Trojans in AppGallery, which were downloaded by over 538,000 Android device owners.
The Android.Joker family has been known to specialists since the fall of 2019, and analysts discover new versions and modifications of these Trojans almost every day. Typically, such malware is capable of performing various tasks (depending on the goals of the attackers). For example, decoys that victims install are usually basic modules with a minimal set of functions. They only provide communication between other Trojan components. At the same time, the main malicious tasks are performed by modules that are later downloaded from the Internet.
Previously, applications infected with Android.Joker were found mainly in the official catalog of Android applications on Google Play. However, now the attackers seem to have decided to expand their activities and turned their attention to alternative directories supported by major players in the mobile device market.
As is the case with other versions of this malware, modifications found in AppGallery were distributed under the guise of harmless applications that, when launched, worked as users expected. This technique allows virus writers to remain undetected for longer and infect as many devices as possible.
The identified Trojans were hidden in virtual keyboards, a camera application, a launcher, a messenger, a collection of stickers, coloring programs, as well as in the game. Eight applications were distributed by a developer named Shanxi kuailaipai network technology co., Ltd, and two others were distributed by a developer named 何斌.
After downloading and launching such an application, users do not notice anything strange, while Android.Joker invisibly connects to the control server, receives the necessary settings and downloads one of the auxiliary components, which it then launches.
The downloadable component is responsible for the automatic subscription of Android device owners to expensive mobile services. In addition, decoys ask for access to notifications, which they need to intercept SMS from premium services (with subscription activation confirmation codes). Apps also set a limit on the number of successfully connected premium services for each user. By default, it is 5, it can be changed both up and down. In configurations intercepted by specialists, for example, this value reached 10.
The downloadable module is detected by Doctor Web as Android.Joker.242.origin… Also marked are other similar modules that load all 10 new malware modifications. In addition, the same modules were used in some versions of Android.Joker, which were distributed, including through Google Play. For example, in applications such as Shape Your Body Magical Pro, PIX Photo Motion Maker and others.
For the subscription to be successful, the infected device must be connected to the mobile Internet. To do this, Android.Joker.242.origin specifically checks the current connections, and if it detects an active Wi-Fi connection, it tries to turn it off.
Worse, the malware not only hunts for activation codes, but also sends the contents of all notifications about incoming SMS to the attacker’s server, which can lead to leakage of confidential information.
“After receiving an alert from Doctor Web, Huawei hid malware applications in the AppGallery app store to ensure user safety. The company will conduct an additional check in order to minimize the risks of such programs appearing in the future, ”the press service of AppGallery says.