Bread apps have misled users by showing fake contact information, and commencing the billing process even if the user hasn’t hit the ‘Confirm’ button.
- Google says it has removed 1,700 apps before being downloaded by anyone
- Traces of ‘Joker’ or ‘Bread’ malware family go back to 2017
- Some apps have started out clean, only to inject malicious code later
Google Play regularly removes malware apps from its library after the activity is reported via bug bounty or they are detected through its Play Protect and other security mechanisms. One such PHA family that has been on Google’s radar for a while now is the ‘Bread’ or ‘Joker’ family of malware. The tech giant removed 24 apps with the ‘Joker’ malware last year in September, and these apps had managed to gather over 500,000 downloads before being de-listed. Now, Google has detailed a bit more about this new malware, claiming that it’s a harmful ‘large-scale billing fraud family’ that has tried everything under the sun to go past Google’s security walls and bill people unethically.
Traces of ‘Joker’ or ‘Bread’ malware family go back to 2017, wherein it first indulged in SMS fraud and later moved on to toll fraud after Google restricted use of SMS permission. Google claims that they have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. After Google started restricting use of the SEND_SMS permission and increased coverage by Google Play Protect, the malware family moved on to toll billing, wherein the user has to visit a URL to complete billing and enter their phone number. Malware authors use injected clicks, custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user.