Google experts reported about their successful operation against Bread malware, also known as Joker. Over the past three years, the company has removed from Google Play more than 1,700 applications that were infected with various versions of the Bread malware.
While most malware operators surrender as soon as Google detects their applications, Bread operators have continued to be active. For more than three years, cybercriminals have been releasing new versions of their programs every week.At some point, the criminals used almost every technique of masking and bypassing the defense, trying to be unnoticed. At different times, we found three or more active variants of the malware, using different approaches or targeting different carriers. In peak periods of criminal activity, we saw up to 23 different applications of this family on Google Play in one day”, – said Google on its blog.
According to experts, the attackers actively exploited the vulnerability on Google Play in order to bypass the defense mechanisms. A tactic called “versioning” allowed to download a clean version of the application, and only then add malicious functions by updating the program.
Criminals also often used YouTube videos to direct users to malicious applications, trying to infect as many devices as possible. Malicious operators also used fake reviews to increase the popularity of applications and hide negative reviews.
The initial versions of the malware Bread were focused on fraud using SMS messages when infected devices were used to pay for products or services by sending an SMS message to a paid number.
When Google introduced stricter permissions for Android applications that require access to SMS on the device, the criminals changed their tactics and switched to fraud with WAP, in which infected devices were used to connect to payment pages via a WAP connection. Both of these types of fraud take advantage of mobile billing techniques involving the user’s carrier.
Carriers may partner with vendors to allow users to pay for services by SMS. The user simply needs to text a given keyword to a prescribed number (shortcode). Next, a charge added to the user’s bill of their mobile service provider.
Carriers may also provide payment endpoints over a web page. The user visits the URL to complete the payment and enters their phone number.
Malware authors use injected clicks, custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user”, — write Google specialists.
Moreover, Google believes that the developers of the Bread/Joker malware relied on the number of downloaded applications, in contrast to the Sidewinder group of cyber spies that were able to implement their three applications on Google Play more accurately.
In each version of the application infected with the Bread/Joker, the malicious code present in each sample can look almost identical, with only one invasion technique changed.
Despite the protective mechanisms of Google Play have learned to successfully track and combat this type of malware, outside the official android store users are still in danger.
