Net Platforms


Google Removed Over 1.7K Joker Malware Infected Apps from Play Store

Roughly 1,700 applications infected with the Joker Android malware (also known as Bread) have been detected and removed by Google’s Play Protect from the Play Store since the company started tracking it in early 2017.

At least one series of such malicious apps did manage to get into the Play Store as discovered by CSIS Security Group security researchers who found 24 apps with over 472,000 downloads in total during September 2019.

“Sheer volume appears to be the preferred approach for Bread developers,” says Google. “At different times, we have seen three or more active variants using different approaches or targeting different carriers. [..] At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day.”


Malware used for billing fraud

Such malicious Android apps were originally designed by Joker’s creators to perform SMS fraud, but have since “largely abandoned this for WAP billing following the introduction of new Play policies restricting use of the SEND_SMS permission and increased coverage by Google Play Protect.”

Newer versions of the Joker malware have moved to another type of mobile billing fraud dubbed toll fraud. Using this new technique, the malware’s operators make use of malicious apps to trick victims into subscribing to or purchasing various types of content via their mobile phone bill.

“Both of the billing methods detailed above provide device verification, but not user verification,” Android Security & Privacy Team’s Alec Guertin and Vadim Kotov explain.

“The carrier can determine that the request originates from the user’s device, but does not require any interaction from the user that cannot be automated.

To be able to automate the malicious billing process without needing any user interaction, the malware authors take advantage of injected clicks, custom HTML parsers, and SMS receivers.

In a lot of cases, the users who get their Android devices infected with Joker malware would also discover that the app features would not match the app they installed.

Joker apps would also frequently come with no other functionality beyond the billing process and, in some instances, would simply be clones of other popular apps in the Google Play Store.

“Google Play Protect scans over 50 billion apps every day across more than two billion devices,” according to the Android Security & Privacy 2018 Year In Review report published in March 2019.

“By analyzing and reviewing upwards of 500,000 apps daily in its cloud-based vetting process, Google Play Protect helps keep harmful apps from ever reaching Google Play.”

As revealed by Google in the 2018 Google Play Store yearly review, they rejected 55% more Android apps than in 2017 and increased the app suspension rate by approximately 66% year-over-year.

Just to put things into perspective, while the 2018 yearly review does not provide the exact number of removed malicious apps, the 2017 one said that the company “took down more than 700,000 apps that violated the Google Play policies, 70% more than the apps taken down in 2016.” 


Joker malware authors forced to adapt

The Joker malware’s creators were continually forced to change tactics to search for gaps in the Play Store’s defenses as Google introduced new policies and Google Play Protect scaled defenses.

“They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected,” Google says.

“Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere.”

More details on the inner workings of the Joker (aka Bread) malware, as well as indicators of compromise including package names and malware sample hashes, are available in Google’s full report.


We’re Netplatforms.

Cyber security is our speciality

We’re Net Platforms and we have years of experience in supporting small-medium businesses across London and Essex with such technology challenges. We’ll get to know your business and create the most appropriate solution to meet your technical requirements, while being commercially sensible in cost. Please contact the team today on 0207 993 9035 or

News Source: