Google said yesterday that it successfully removed more than 1,700 apps that had been submitted to the Play Store for the past three years and that were infected with various versions of the Bread malware, also known as Joker.

Google described this malware operation as one of the most persistent threats it has addressed in recent years.

Although most malware operators give up as soon as Google detects their apps, the Bread group never did. For over three years, since 2017, bread operators have been releasing new versions of their malware every week.

Perseverance and pure volume

Over the years, their modus operandi has always been the same, focusing on small changes here and there, with the aim of finding a gap in Google Play Store defenses and security controls.

Although this usually didn’t work, sometimes it did. For example, in September 2019, security researcher Aleksejs Kuprins found 24 apps infected with the Bread (Joker) malware that ended up in the Play Store. A month later, Pradeo Labs found another app that was infected with bread (Joker). Trend Micro also found 29 bread infected apps a few days later. A few days later, K7 Security found four other apps that also appeared in the Play Store. This goes on and on. This Google Docs spreadsheet contains other cases where the Bread (Joker) software made it in the Play Store.

However, Google reports that it was usually possible for the malware to reach its users, blocking more than 1,700 malicious app entries from the Bread group.

In a blog post about his fight against the Bread gang that was published last night, Google said the operators “at some point used almost every concealment and eclipse technique under the sun in an effort to go unnoticed.”

The Google security team said the malware was not what someone would call sophisticated, but simply more persistent than others.

“The volume alone seems to be the preferred approach for Bread developers,” said Google.

“At different times we have seen three or more active variants that use different approaches or target different providers,” Google added. “During peak moments of activity, we received up to 23 different apps from this family in one day for Play.”

Google also said that Bread malware types were also spotted in the Play Store, suggesting that this malware operation knew from the beginning what and who to focus on and never deviated from the path, even if they were initially unsuccessful.

False reviews and YouTube ads

But as Google has admitted, and others have pointed out, there are some gaps in the Play Store defense that were exploited by the Bread team.

In most cases, the trick that helped the Bread malware crew to pass Play Store security reviews was a technique called “version control” – which refers to uploading a clean version of the app and then adding malicious content later functions via app updates.

To ensure that they infect as many users as possible, Invictus Europe (and others) say the Bread group often used YouTube videos to guide users to malicious apps, encouraging app functions in an attempt to infect as many users as possible. .

In addition, Google says the Bread gang often used fake reviews to improve the reputation of their app and drown out negative ones.

From SMS fraud to WAP invoicing

According to Google, the primary focus of this malware operation was on financial fraud. The first versions of the Bread malware focused on texting fraud, which refers to using an infected device to pay for unwanted products or services by sending an SMS to a premium number.

When Google introduced stronger and stricter permissions for Android apps that wanted to access a device’s texting function, the Bread gang simply changed tactics and switched to WAP fraud.

WAP fraud, also known as a toll, refers to hackers who use infected devices to connect to payment pages via a device’s WAP connection, where payment is automatically charged to a device’s phone bill.

Both SMS and WAP fraud have been very popular with malware developers for years. This is because both billing methods use device authentication, but not user authentication.

Mobile telcos can verify that a request comes from the victim’s device, but they cannot see whether the request has been executed by the user, or has been automated by a script or by malware.

WAP malware was a major problem in the mobile world at the end of 2000 and early 2010. In 2017, this reporter wrote about a trend in the malware scene from Android about the revival of WAP trojans. Back in 2017, after years of silence, WAP trojan horses such as Ubsod, Xafekopy, Autosus and Podec made a sudden, unexpected and inexplicable comeback.

As Google said yesterday, the Bread operation seems to be the pinnacle of this comeback, the most active and most persistent of all.

Based on their perseverance, they seem to have made considerable profits; otherwise they would probably have given up.

“This family shows the amount of resources that malware authors must now spend,” said Google.