Half a million Huawei Android phones hit by Joker malware
by CIRT Team
Security researchers have found over 500,000 Huawei smartphone users have downloaded applications tainted with the Joker malware that unwittingly subscribes users to premium mobile services.
A report from antivirus maker Doctor Web notes that the malicious apps retained their advertised functionality but downloaded components that subscribed users to premium mobile services.
To keep users in the dark the infected apps requested access to notifications, which allowed them to intercept confirmation codes delivered over SMS by the subscription service.
According to the researchers, the malware could subscribe a user to a maximum of five services, although the threat actor could modify this limitation at any time.
The list of malicious applications included virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game.
Once the malware is launched, users interact with full-fledged applications. However, behind the mask of harmless software, the trojans connect to the C&C server, receive necessary configuration and download one of the additional components, which is then launched. The downloaded component is responsible for automatically subscribing Android device users to premium mobile services. In addition, the decoy apps request access to notifications that they will later need to intercept incoming SMS from premium services with subscription confirmation codes. The same apps set the limit on the number of successfully activated premium services for each user.
Organizations can help defend against types of malware like Joker by abiding by mobile security best practices.
Always have antimalware installed on user’s smartphone and ensure users that regularly scan for infections.
User will need to pay closer attention to what the apps on user phone actually do. When user launch an app for the first time, Android will alert to what the app is trying to do. The app may request access to user’s camera, address book, SMS messages etc.
When smartphone user see these prompts user should think – “Does this app really need access tos messages or address book?” User awareness is very important role for this type of malicious app activity.
Always take a time to read any alerts when installing apps as they often reveal something unexpected – and unwanted – may be happening. If smartphone user is ever unsure, or have any doubts at all, simply deny the request or uninstall the app entirely.
For more information & reference:
26 Oct 2023 - Security Advisories & Alerts