Google removes more than 1,700 apps infected with Joker malware

Bread malware had planted a significant number of infectious apps to Play store throughout the past years

Bread (Joker) malware appears to be one of the most persistent threats, according to Google

Google released an official report that they have discovered 1,700 applications in the Play Store^[1] that were infected by Bread (Joker) malware.^[2] Even though the company has already dealt with these apps and they are far gone from the online store, Joker malware still falls in the most persistent virus category that Google has ever seen.

It can be approved by the fact that Bread malware developers still kept on releasing new variants of malicious software even though Google had spotted their apps in the first place. It is known that the authors of the malware kept developing new versions every week since 2017. According to Google, the malware always was sure what it was looking for and what the target was even though most of its attempts were not successful.

SMS fraud appears to have been the main goal of Bread malware creators

From the start, Joker malware aimed to use the infected mobile phone device for assigning various suspicious services to the mobile phone number and forcing the victims to unknowingly pay for them:^[3]

Carriers may partner with vendors to allow users to pay for services by SMS. The user simply needs to text a prescribed keyword to a prescribed number (shortcode). A charge is then added to the user’s bill with their mobile service provider.

Even though this type of function did not succeed for a long time as Google decided to implement a new security measure that did not allow all apps to access the user's SMS function very easily, Bread developers did not get lost and continued their fraud tactics through WAP billing.

The WAP fraud scheme works by the malicious actor employing the infected mobile phones for accessing monetary transaction websites through the phone's WAP connection. Afterward, the payment process executes automatically and refers to the victim's mobile phone bill.

SMS and WAP fraud schemes have been found to be very relevant among malicious actors for a long time since now. The most important fact is that only the device verification is required and the verifier cannot be identified as a user or malware.

Joker malware uses the “versioning” tactic to evade the Google Play Store security checkup

According to Google, Bread (Joker) malware always aimed to search for some security bugs and vulnerabilities in the Google Play Store so that the bad actors could skip security checks and plant their malicious apps unnoticed. There were many attempts that have succeeded, for example, Aleksejs Kuprins cybersecurity researcher discovered 24 malicious apps that made their way through,^[4] then Pradeo Labs discovered another 29 of the apps, and so on.

Google claims that Bread malware does not include a very complex operation module but is definitely persistent and stubborn when it comes to loading as many infectious apps to the Play Store as possible. One of the features that were used by the malicious actors is known as “versioning” when a safe and clean version of the app is added first and the malicious code is injected into the program later on.^[5]

Additionally, Joker developers also employed YouTube video clips for taking users to promotion sources of their malicious apps in order to increase the downloading number of those applications. Another tactic that was used by the malicious actors is fake reviews that were written about their promoted apps. Despite all the effort that was put in the app delivery process and attempts to infect users, Google eliminated all the 1,700 apps before anyone managed to download any.