Google Details ‘Joker’ Malware That Plagued the Play Store, Claims It Removed 1,700 Apps

Bread apps have misled users by showing fake contact information, and commencing the billing process even if the user hasn’t hit the ‘Confirm’ button.

Google Details ‘Joker’ Malware That Plagued the Play Store, Claims It Removed 1,700 Apps

Google removed 24 Bread apps in September last year

  • Google says it has removed 1,700 apps before being downloaded by anyone
  • Traces of ‘Joker’ or ‘Bread’ malware family go back to 2017
  • Some apps have started out clean, only to inject malicious code later

Google Play regularly removes malware apps from its library after the activity is reported via bug bounty or they are detected through its Play Protect and other security mechanisms. One such PHA family that has been on Google’s radar for a while now is the ‘Bread’ or ‘Joker’ family of malware. The tech giant removed 24 apps with the ‘Joker’ malware last year in September, and these apps had managed to gather over 500,000 downloads before being de-listed. Now, Google has detailed a bit more about this new malware, claiming that it’s a harmful ‘large-scale billing fraud family’ that has tried everything under the sun to go past Google’s security walls and bill people unethically.

Traces of ‘Joker’ or ‘Bread’ malware family go back to 2017, wherein it first indulged in SMS fraud and later moved on to toll fraud after Google restricted use of SMS permission. Google claims that they have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. After Google started restricting use of the SEND_SMS permission and increased coverage by Google Play Protect, the malware family moved on to toll billing, wherein the user has to visit a URL to complete billing and enter their phone number. Malware authors use injected clicks, custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user.

Bread apps have tried to use standard crypto libraries, custom-implemented encryption algorithms, some obfuscation methods utilizing JavaScript in WebViews, and several commercially available packers including – Qihoo360, AliProtect and SecShell – to go undetected. Bread apps also misled users by showing a pop-up that need to read out full terms and conditions, but the text is usually filled with a basic welcome message. Furthermore, these apps have fake contact information, and the billing process commences even if you don’t hit the “Confirm” button. Google says Bread apps frequently contain no functionality beyond the billing process or simply clone content from other popular apps.


Leave a Reply

Your email address will not be published. Required fields are marked *