Google has discovered more than 1,700 applications in the Play Store that were infected by Joker malware. The company started tracking the malware (also known as Bread) in early 2017. This malware operation is one of the most persistent threats Google has dealt with during the last few years.
These also include 24 Android apps, discovered back in September, which had about 500,000 downloads in total.
“Sheer volume appears to be the preferred approach for Bread developers,” says Google. “At different times, we have seen three or more active variants using different approaches or targeting different carriers. [..] At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day.”
History and tactics
Joker first engaged in SMS fraud to target users with carriers that allow for payments via text message. Even though this type of function did not succeed for a long time as Google decided to execute a new security measure that did not allow all apps to access the user’s SMS function very easily, Bread developers did not get lost and continued their fraud tactics through WAP billing.
The Joker creators were quickly adapting to the change in the Google Play Store.
Newer versions of the Joker malware have moved to toll fraud. Using this new technique, the malware’s operators make use of malicious apps to trick victims into subscribing to or purchasing various types of content via their mobile phone bill.
Both of the billing methods provide device verification, but not user verification. The malware authors take advantage of injected clicks, custom HTML parsers, and SMS receivers, to automate the malicious billing process without needing any user interaction.
Joker apps frequently come with no other functionality beyond the billing process. And, in some instances, are clones of other popular apps in the Google Play Store.
Secure Your Organization’s Mind with Securemind.se