Over the past few months, especially in 2019, many security firms revealed names of malicious apps found in the App Store and Play Store. Researchers also informed the user's vulnerability, most of the time about Android security threats.

Joker Android malware which is also known as Bread have been detected and removed by Google's Play Protect from the Play Store since the tech giant found the vulnerability in 2017. But it should be noted that recently researchers revealed that such malicious apps managed to get back to the Play Store.

The malware threat

The researchers from CSIS Security Group security said that they found 24 Play Store apps with over 472,000 downloads in total during September 2019.

As per the tech giant Google, "Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers. [..] At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day."

android apps for sale.jpg
Andoid vulnerability Reuters

Usage of malicious apps

These malware-infested apps were originally designed by the creators of the Joker malware. The main intention to create and speared the malware apps was to perform SMS fraud. But as reported, later the malware has been used for WAP billing, "following the introduction of new Play policies restricting the use of the SEND_SMS permission and increased coverage by Google Play Protect."

It should be noted that the new version of this malware is now conducting another type of mobile frauds. The operators now can trick the victims with the new techniques into subscribing to or purchasing various types of content via their mobile phone bill.

Explanation of the fraud cases

Alec Guertin and Vadim Kotov from Android Security and Privacy Team explained that the billing methods detailed above provide device verification, but not user verification. As per the researcher, the carrier can regulate the request originates from the user's device, but does not require any interaction from the user which cannot be automated.

In this case threat actors behind the malware take advantage of injected clicks, custom HTML parsers and SMS receivers. In lots of cases, after Joker malware-infected Android phones, users noticed changes in apps features, as they found that the their downloaded apps look different.

Joker malware apps