Google Removed Over 1.7K Joker Malware Infected Apps from Play Store

Antus67

Level 9
Thread author
Verified
Well-known
Nov 3, 2019
416
Roughly 1,700 applications infected with the Joker Android malware (also known as Bread) have been detected and removed by Google's Play Protect from the Play Store since the company started tracking it in early 2017.
At least one series of such malicious apps did manage to get into the Play Store as discovered by CSIS Security Group security researchers who found 24 apps with over 472,000 downloads in total during September 2019.

"Sheer volume appears to be the preferred approach for Bread developers," says Google. "At different times, we have seen three or more active variants using different approaches or targeting different carriers. [..] At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day."
Such malicious Android apps were originally designed by Joker's creators to perform SMS fraud, but have since "largely abandoned this for WAP billing following the introduction of new Play policies restricting use of the SEND_SMS permission and increased coverage by Google Play Protect."
Newer versions of the Joker malware have moved to another type of mobile billing fraud dubbed toll fraud. Using this new technique, the malware's operators make use of malicious apps to trick victims into subscribing to or purchasing various types of content via their mobile phone bill.

"Both of the billing methods detailed above provide device verification, but not user verification," Android Security & Privacy Team's Alec Guertin and Vadim Kotov explain.
"The carrier can determine that the request originates from the user’s device, but does not require any interaction from the user that cannot be automated.