Connect with us

Hi, what are you looking for?



Google Removes Trove of Risky ‘Bread’ Apps From Play Store

Google has removed roughly 1,700 unique applications from its Google Play app store that were part of a family of potentially unwanted programs. 

Google has removed roughly 1,700 unique applications from its Google Play app store that were part of a family of potentially unwanted programs. 

Dubbed “Bread” and also known as “Joker“, this family of Potentially Harmful Applications (PHAs) was engaged in billing fraud and was initially observed in 2017, when the apps were focused solely on SMS fraud. 

Over time, the developers of the applications have focused on finding new cloaking and obfuscation techniques to evade Google Play Store’s new policies and Play Protect’s evolving defenses and remain undetected. 

The 1.7k unique Bread apps were detected and removed from the Play Store before even being downloaded by users, Google says. 

“Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere,” Alec Guertin and Vadim Kotov, Android Security & Privacy Team, noted in a Jan 9 blog post

Since the initial discovery, the Bread apps have switched from SMS fraud to WAP billing, following new Play Store policies restricting use of the SEND_SMS permission. The newer app versions, which are focused on toll fraud, continue to leverage mobile billing techniques involving the user’s carrier.

Through SMS billing, carriers partner with vendors to allow users to pay for services by SMS, via texting a prescribed keyword to a prescribed number (shortcode). 

Advertisement. Scroll to continue reading.

Through toll billing, the user can complete a payment via a web page provided by the carrier, where they need to enter their phone number, and then verify the request. Verification is performed either when the user connects to the page over mobile data, or with the user entering a code sent to them via SMS. 

The issue with these verification methods is that they can’t determine whether the request is coming from the user, but only that it originates from their device. Thus, malware authors can leverage automation (injected clicks, custom HTML parsers, and SMS receivers), to eliminate user interaction and commit fraud. 

Apps from the Bread family have employed numerous techniques to hide their malicious behavior and evade analysis. They would also mislead users through pop-ups implying some form of compliance or disclosure, fake reviews in the Play Store, or clean initial versions before the malicious code is introduced. 

“Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers. Within each variant, the malicious code present in each sample may look nearly identical with only one evasion technique changed,” Google explains. 

Related: App Found in Google Play Exploits Recent Android Zero-Day

Related: Popular Mideast App Accused of Spying Back on Google Play

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Management & Strategy

Anna Tutt, CMO of Oort, shares her experiences and perspectives on how we can accelerate growth of women in cybersecurity.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


A new CISA pilot program to warn critical infrastructure organizations if their systems are unpatched against vulnerabilities exploited in ransomware attacks.

Cybersecurity Funding

B2B payment security provider NsKnox raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.


Privacy experts have said they fear pregnancies could be surveilled and the data shared with police or sold to vigilantes.


Google has suspended the Chinese shopping app Pinduoduo on its app store after malware was discovered in versions of the app from other sources.


Five Eyes agencies have issued joint cybersecurity guidance and best practices for smart cities.


ICS Patch Tuesday: Siemens and Schneider Electric have published more than a dozen advisories addressing over 200 vulnerabilities.