Google Play removed 24 more malware-filled apps that collected 500,000 downloads in September. The very persistent “large-scale billing fraud family” was detailed today by the security team of the company Dubbed “Joker.”
Also known as “Bread,” the “well-organized, persistent attacker” Google has been tracking since early 2017. It first engaged in SMS fraud to target users with carriers that allow text message payments, and then moved on to toll fraud, where you pay by visiting a carrier page and entering your phone number.
Insufficient terms and conditions were met for users who downloaded affected apps For example, the numbers provided for canceling subscriptions were not real, while the displayed buttons did not actually work and a recurring premium subscription was charged in the background.
This iteration of fraud — following new Play policies that restricted SMS permission — speaks to how persistent Joker tried to bill users nefariously:
It involves “innovative and classic techniques” to conceal strings from analytical engines, while masking the use of SMS and Wi-Fi APIs from Android. Joker apps have also started to grow user bases and developer reputations with “clean versions,” while posting fake 5-star reviews as well.
Google found Joker developers with three or more Play variants in use with different approaches and carrier targets to be particularly active:
For its part, before users ever downloaded them, Google Play Protect detected and removed 1,700 unique Joker malware apps.