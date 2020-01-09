Loading...

In September, Google Play removed 24 more malware-filled apps with 500,000 downloads. After-dubbed “Joker,” the company’s security team today detailed the very persistent “large-scale billing fraud family.”

Also known as “Bread”, Google has been following the “well-organized, persistent attacker” since early 2017. It was first sms fraud targeted at users with providers that allow payments by sms, and then switched to toll fraud, where you pay by visiting a courier page and entering your phone number.

Users who have downloaded affected apps meet insufficient conditions. For example, the numbers specified to cancel subscriptions were not real, while the displayed buttons did not really work and charged a recurring premium subscription in the background.

This fraud repetition – according to the new Play policy that has limited the SMS authorization – speaks about how persistent Joker has tried to bill users unnecessarily:

At one point they have used almost every concealment and eclipse technique under the sun in an attempt to go unnoticed. Many of these examples seem to be specifically designed to attempt to slip into the Play Store unnoticed and are not seen anywhere else.

This includes “innovative and classic techniques” to hide strings from analysis engines, while also masking the use of Android’s SMS and Wi-Fi APIs. Joker apps also started with ‘clean versions’ to increase the number of users and the reputation of developers, while also publishing false five-star reviews.

Google found that Joker malware developers are particularly active with three or more Play variants used with different approaches and career goals:

During peak moments of activity we have received up to 23 different apps from this family in one day for Play. At other times Bread seems to let go of the hope of making a variant successful and we see a gap of a week or more ahead of the next variant.

Google Play Protect in turn has detected and removed 1,700 unique Joker malware apps before they were ever downloaded by users.

