Ten variants of the Joker Android Trojan managed to slip into the Huawei AppGallery app store and were downloaded by more than 538,000 users, according to new data from Russian anti-malware vendor Doctor Web.
Also known as Bread, the Joker Trojan was first observed in 2017 when it was originally focused on SMS fraud. Last year, the malware was observed performing billing fraud, with thousands of infected applications identified and removed by Google.
This family of Potentially Harmful Applications (PHAs), which is known for subscribing users to premium mobile services, has previously targeted Android users through Google Play, but it appears that that malware’s operators have shifted attention to additional app stores.
With Huawei currently being the fourth smartphone maker in terms of market share, at roughly 9 percent, it’s no surprise that the cybercriminals behind the Joker have chosen AppGallery to distribute their malware.
Disguised as harmless applications, the Trojan’s modifications would work as expected when launched, thus avoiding rising suspicion. Observed apps include “virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game,” the company said.
The Trojan’s variations feature multiple components capable of executing a variety of tasks. While only basic Trojan modules that feature minimal functionality are installed through the initial executable, additional components are downloaded from the Internet, to expand the threat’s functionality.
While the user is delivered a full-fledged app, in the background the Trojan connects to the command and control (C&C) server to fe ..