Over 500,000 Huawei customers have downloaded applications from the enterprise’s official Android store that are infected with a malicious software known as “Joker”.

Cybersecurity researchers discovered what appeared to be 10 apparently harmless applications in AppGallery that included code that could enable connections to an insidious command and control server, so it could receive additional components and new configurations.

Malware disguised by authentic functions

A report issued by antivirus manufacturer Doctor Web noted that the infected apps kept the functionality they were advertised to offer, but downloaded additional components that subscribed customers to premium-level mobile services.

To ensure users remained unaware of the switch, the malicious applications requested open access to all notifications. This enabled them to easily intercept any confirmation codes being delivered via text message from the subscription service.

The researchers also revealed that the malware could effectively subscribe a customer to up to five different services – however, the hacker behind the campaign could amend this limit at any point in time if they selected to.

The lengthy list of infected apps included a digital camera application, virtual keyboards, a sticker collection, an online messenger, a game and several colouring programs.

Most of the malicious apps originated from a single developer known as Shanxi Kuailaipai Network Technology Co. According to experts at Doctor Web, the 10 infected applications, which included Super Keyboard, Happy Colour, BeautyPlus Camera and Happy Tapping, among others, were downloaded by over 538,000 Huawei customers.

Joker malware unleashed

Doctor Web notified Huawei of all the applications, leading the company to quickly remove them entirely from AppGallery before more users could be impacted. While new customers are no longer able to download these infected apps, users that have already loaded up these apps and have them running on their personal devices must run a manual clean up as soon as possible.

The researcher team examining the apps commented that the exact same modules that were downloaded by the malicious applications in AppGallery were found in other applications listed on Google Play and employed by other editions of Joker malware.

After it becomes active, the Joker malware communicates with its remote command and control server so it can receive the necessary configuration file. This file includes a list of dedicated tasks and websites set up for premium services, along with JavaScript that can perfectly mimic customer interaction.

The use of Joker malware dates back as far as 2017, and it has been a continuing pest, burrowing its way into multiple applications made available through popular platforms such as the Google Play store. Back in 2019, Tatyana Shishkova, Kaspersky’s Android malware analyst, commented on social media that she had identified over 70 compromised applications that had manged to bypass quality control and end up available from the official store.

Last year, Google admitted that since 2017, 1,700 applications that were infected by Joker had needed to be removed from its online store. Despite this, Joker malware remains a threat that still manages to sidestep app stores security.