Google pulled about 1,700 separate apps that were part of a family of potentially unwanted services from its Google Play application store.
This family of potentially harmful applications–dubbed “Bread” and also known as “Joker” –was involved in billing fraud and first observed in 2017, where the apps focused solely on SMS fraud.
Over time, the software developers focused on finding innovative cloaking and obscuring strategies to circumvent new policies and the emerging protections of Play Protect from Google Play Store and to remain undetected.
Once applications actually updated, the 1.7k separate bread devices were found and deleted from the play store, says Google.
“Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere,” Alec Guertin and Vadim Kotov, Android Security & Privacy Team, noted in a Jan 9 blog post.
Bread apps have switched from SMS fraud to WAP billing since the initial discovery, following the new Play Store policies that restrict the use of SEND SMS permission. The new app models, which concentrate on total fraud, aim to exploit the user’s smartphone billing strategies.
Via SMS billing, businesses collaborate with providers for users to send a specified number (shortcode) by sending a defined keyword for services using SMS.
Via toll billing, the customer will pay via a web page established by the operator to input their telephone number and review the request afterwards. Verification takes place either when the user connects via mobile data to the page or when the user enters a code that is sent to the page by SMS.
The drawback with these screening techniques is that they can not decide if the request comes from the consumer, but only from their computer. In this case, malware authors can use software to reduce user interaction and commit fraud (injected taps, personalized HTML parsengers and SMS recipients).
Apps from the Bread family used various methods to conceal their wrongdoing and prevent scrutiny. We would also confuse consumers by pop-ups concerning infringement or exposing, false ratings in the Play Store, or clean initial copies before the malicious code is introduced.
“Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers. Within each variant, the malicious code present in each sample may look nearly identical with only one evasion technique changed,” Google explains.