Google has removed roughly 1,700 unique applications from its Google Play app store that were part of a family of potentially unwanted programs.
Dubbed “Bread” and also known as “Joker“, this family of Potentially Harmful Applications (PHAs) was engaged in billing fraud and was initially observed in 2017, when the apps were focused solely on SMS fraud.
Over time, the developers of the applications have focused on finding new cloaking and obfuscation techniques to evade Google Play Store’s new policies and Play Protect’s evolving defenses and remain undetected.
The 1.7k unique Bread apps were detected and removed from the Play Store before even being downloaded by users, Google says.
“Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere,” Alec Guertin and Vadim Kotov, Android Security & Privacy Team, noted in a Jan 9 blog post.
Since the initial discovery, the Bread apps have switched from SMS fraud to WAP billing, following new Play Store policies restricting use of the SEND_SMS permission. The newer app versions, which are focused on toll fraud, continue to leverage mobile billing techniques involving the user’s carrier.
Through SMS billing, carriers partner with vendors to allow users to pay for services by SMS, via texting a prescribed keyword to a prescribed number (shortcode).
Through toll billing, the user can complete a payment via a web page provided by the carrier, where they need to enter their phone number, and then verify the request. Verification is performed either when the user connects to the page over mobile data, or with the user entering a code sent to them via SMS.
The issue with these verification methods is that they can’t determine whether the request is coming from the user, but only that it originates from their device. Thus, malware authors can leverage automation (injected clicks, custom HTML parsers, and SMS receivers), to eliminate user interaction and commit fraud.
Apps from the Bread family have employed numerous techniques to hide their malicious behavior and evade analysis. They would also mislead users through pop-ups implying some form of compliance or disclosure, fake reviews in the Play Store, or clean initial versions before the malicious code is introduced.
“Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers. Within each variant, the malicious code present in each sample may look nearly identical with only one evasion technique changed,” Google explains.
Related: App Found in Google Play Exploits Recent Android Zero-Day
Related: Popular Mideast App Accused of Spying Back on Google Play