Google removed 1,700 ‘Joker’ apps with malware from Play Store
Google Play Store was plagued with these ‘Bread’ apps aka Joker which used multiple variants to get people to download them.
Google said it has detected and removed 1,700 malicious apps from the Play Store. These apps fall into a unique category called 'Bread' which is also known as 'Joker'. Google has been tracking these apps since 2017.
The latest report from Google highlights that these Bread apps were removed from the Play Store even before users could download it. But these apps still made its way through Google Play Store. Bread apps which have been around for quite some time now initially targeted users through SMS fraud. But attackers moved on to WAP billing method after Play Store's new policies against SMS frauds were rolled out.
"As the Play Store has introduced new policies and Google Play Protect has scaled defenses, Bread apps were forced to continually iterate to search for gaps. They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere," Alec Guertin and Vadim Kotov explain in the blog post.
The blog post further explains how these apps evolved from the older billing method to the new one but both took advantage of the user's carrier. SMS billing is a process where carriers partner with vendors to pay for services via SMS. Toll bill requires users to visit the URL to complete the payment.
"Malware authors use injected clicks, custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user," the blog post reads.
Bread apps have also different variants like displaying pop-up messages and posting fake reviews of newly published apps. Some apps even managed to bypass the Play Store's security by first releasing the clean version and offloading the malware later. Bread app developers have been discovered to use different variants and approaches and targeting different carriers. The attackers have also depended on sheer volume as their main tactic.
Activity has been varied though with up to 23 different Bread apps uploaded on Play Store on the same day. In some cases, there have been gaps of a week or more before the next move is made.