Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Uncategorized

Google Removes Trove of Risky ‘Bread’ Apps From Play Store

Google has removed roughly 1,700 unique applications from its Google Play app store that were part of a family of potentially unwanted programs. 

Google has removed roughly 1,700 unique applications from its Google Play app store that were part of a family of potentially unwanted programs. 

Dubbed “Bread” and also known as “Joker“, this family of Potentially Harmful Applications (PHAs) was engaged in billing fraud and was initially observed in 2017, when the apps were focused solely on SMS fraud. 

Over time, the developers of the applications have focused on finding new cloaking and obfuscation techniques to evade Google Play Store’s new policies and Play Protect’s evolving defenses and remain undetected. 

The 1.7k unique Bread apps were detected and removed from the Play Store before even being downloaded by users, Google says. 

“Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere,” Alec Guertin and Vadim Kotov, Android Security & Privacy Team, noted in a Jan 9 blog post

Since the initial discovery, the Bread apps have switched from SMS fraud to WAP billing, following new Play Store policies restricting use of the SEND_SMS permission. The newer app versions, which are focused on toll fraud, continue to leverage mobile billing techniques involving the user’s carrier.

Through SMS billing, carriers partner with vendors to allow users to pay for services by SMS, via texting a prescribed keyword to a prescribed number (shortcode). 

Through toll billing, the user can complete a payment via a web page provided by the carrier, where they need to enter their phone number, and then verify the request. Verification is performed either when the user connects to the page over mobile data, or with the user entering a code sent to them via SMS. 

Advertisement. Scroll to continue reading.

The issue with these verification methods is that they can’t determine whether the request is coming from the user, but only that it originates from their device. Thus, malware authors can leverage automation (injected clicks, custom HTML parsers, and SMS receivers), to eliminate user interaction and commit fraud. 

Apps from the Bread family have employed numerous techniques to hide their malicious behavior and evade analysis. They would also mislead users through pop-ups implying some form of compliance or disclosure, fake reviews in the Play Store, or clean initial versions before the malicious code is introduced. 

“Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers. Within each variant, the malicious code present in each sample may look nearly identical with only one evasion technique changed,” Google explains. 

Related: App Found in Google Play Exploits Recent Android Zero-Day

Related: Popular Mideast App Accused of Spying Back on Google Play

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.