Google has removed over 1,700 malicious apps from Play Store that were infected with the Joker malware since the company started tracking it in 2017.
These also include 24 Android apps, discovered by CSIS Security Group security researchers back in September, which had about 500,000 downloads in total.
In a blog post, Google described the Joker malware (also known as Bread) as a “well organized, persistent attacker” that had been using different techniques for billing fraud.
The company’s security team found Bread developers’ approach to be “sheer volume.” At times, they had three or four variants on the Play Store targeting multiple carriers
“At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day,” writes Google.
Joker: The Billing Fraud Family
The malware-infected apps were first engaged in SMS fraud, where they would target networks that allowed payments via SMS.
However, the malware family moved away from the technique after Google restricted the “use of the SEND_SMS permission and increased coverage by Google Play Protect.”
Currently, the primary technique used by the perpetrators is “Toll fraud,” which involves paying by visiting the carrier page and entering the phone number. Here, users are tricked into subscribing to different types of content via their mobile phone bill.
Crooks take advantage of automated billing systems that provide “device verification, but not user verification.”
“The carrier can determine that the request originates from the user’s device, but does not require any interaction from the user that cannot be automated.”
Since there is no interaction on behalf of the user, the malware authors use injected clicks, custom HTML parsers, and SMS receivers to automate the billing process.
Users who downloaded apps infected with Joker malware also found problems within the apps. In many instances, the app features would not match the app they installed.
The Joker creators were quickly adapting to the change in the Google Play Store. Thankfully, the company was able to remove the 1.7k Android apps before they could pose any real threat to users.