Google Play Protect has removed 1,700 unique applications from the Bread malware family in the Play Store before users downloaded them
Google Play Protect has removed 1,700 unique applications from the Joker family of malware in the Play Store, before users downloaded them, a threat that the company has been following since 2017 and is dedicated to defrauding users through sending of SMS messages and payments by WAP.
Joker is a family of ‘malware’, also known as Bread, which addresses the user’s mobile bill. Google first identified it at the beginning of 2017 and since then it has battled infected applications, which always seemed to find a gap in its policies to go unnoticed in the company’s ‘market’, Google Play Store.
However, the digital store’s defence systems have removed 1,700 unique apps with the Bread malicious program before they were downloaded by users. In September, the Larry Page company also removed 24 infected applications, which together had reached more than 500,000 downloads in the Play Store.
Applications infected with this family of ‘malware’ carried out fraud through SMS at its source, but later began to attack payments by WAP (wireless application protocol), as reported by members of the security and privacy team on Android Alec Guertin and Vadim Kotov in a post on their official security blog.
In any case, these are two techniques that take advantage of the integration of telephone operators with vendors, to facilitate the payment of services with the mobile bill. Both request verification of the device, but not of the user. “The operator can determine that the request originates from the user’s device, but does not require any user interaction that cannot be automated,” they say from Google. Thus, the creators of this ‘malware’ “use injected clicks, custom HTML parsers and SMS receivers to automate the payment process without requiring any user interaction.”
“As Play Store has introduced new policies and Google Play Protect has expanded the defences, Bread applications have been forced to go looking for new gaps. At some point, they have come to use all the concealment techniques that exist to not be detected. Many of the samples found seem to be specifically designed to try to enter the Play Store without being detected,” the experts explained, before adding that the company has defended itself from an attacker whom it considers “persistent and well organized.”