Since the company began tracking it in 2017, Google has removed more than 1700 malicious apps from the Play Store infected with Joker malware.
These also include 24 Android apps, which were discovered by security researchers from the CSIS Security Group back in September, with a cumulative download of about 500,000.
Google described the Joker malware (also called Bread) in a blog post as “a well-organized and persistent intruder,” who used a variety of billing techniques.
Bread Developers strategy has been found by the company’s safety team to be “sheer volume;” sometimes there were three or four versions in the Play Store for multiple carriers, “We saw up to 23 different apps from this family delivered in one day during peak operating times,” says Google.
What Is The Joker Malware?
Initially, malware-infected apps engaged in SMS fraud, targeting networks that permit payments via SMS.
However, after Google restricted the “use of SEND_SMS permission and increased coverage by Google Play Protect,” the malware family moved away from the technique.
The primary method the perpetrators currently use is the’ Toll fraud’ which means payment by accessing the carrier’s website and entering the phone number. In this case, users are led by their mobile bill to subscribe to different types of content.
Crooks take advantage of “device verification” automated billing systems, but not user verification.
“The carrier may decide that the application comes from the computer of the user but does not require user interaction that can not be automated.”
Because there is no user interaction, malware authors use embedded taps, customised HTML parsers, and SMS recipients to automate the payment process.
Users who downloaded Joker malware-infected apps also found problems in the apps. The app features often do not match the app they have installed.
The creators of Joker adapted quickly to the change in the Google Play Store. Fortunately, the company was able to remove the 1.7k Android apps before they presented a real threat to users.