No, we’re not talking about the movie. Google has removed 1,700 instances of family of billing fraud malware dubbed Bread, but also known as Joker.
The best bit? These Big G says the apps were nixed before users could even download them. The bad news? They still made their way to the Play Store. What’s special about the Bread malware, which Google has been tracking since 2017, is it continued to evolve along with the Play Store’s defensive mechanisms.
“Bread apps were forced to continually iterate to search for gaps,” write researchers Alec Guertin and Vadim Kotov. “They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere.”
The malware typically relies on SMS or toll fraud to charge victims, and also uses numerous obfuscating techniques to avoid raising eyebrows.
Where the scam gets particularly elaborate is how Bread apps onboard new users. “Bread has also leveraged an abuse tactic unique to app stores: versioning,” the Google researchers explain. “Some apps have started with clean versions, in an attempt to grow user bases and build the developer accounts’ reputations. Only later is the malicious code introduced, through an update.”
“Interestingly, early ‘clean’ versions contain varying levels of signals that [indicate] the updates will include malicious code later,” the analysis adds.
This ruse is coupled with fake reviews, which are suspiciously generic, but it’s not like we haven’t seen that in the past.
“Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers,” Guertin and Kotov add. “At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day.”