Skip to main content

Google details ‘Joker’ malware that’s tried everything to avoid Play Store detection

In September, Google Play removed 24 more malware-filled apps that amassed 500,000 downloads. Dubbed “Joker,” the company’s security team today detailed the very persistent “large-scale billing fraud family.”

Also known as “Bread,” Google has been tracking the “well organized, persistent attacker” since early 2017. It first engaged in SMS fraud to target users with carriers that allow for payments via text message, and then moved on to toll fraud, where you pay by visiting a carrier page and entering your phone number.

Users that downloaded affected apps were met with insufficient terms and conditions. For example, numbers provided to cancel subscriptions weren’t real, while buttons shown didn’t actually work and proceeded to charge a recurring premium subscription in the background.

This fraud iteration — following new Play policies that restricted the SMS permission  — speaks to how persistent Joker has been in trying to nefariously bill users:

They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere.

This includes “innovative and classic techniques” to hide strings from analysis engines, while also masking usage of Android’s SMS and Wi-Fi APIs. Joker apps have also started with “clean versions” to grow user bases and developer reputations, while also posting fake five-star reviews.

Google found Joker malware developers to be particularly active with three or more Play variants in use with different approaches and carrier targets:

At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day. At other times, Bread appears to abandon hope of making a variant successful, and we see a gap of a week or longer before the next variant.

For its part, Google Play Protect detected and removed 1,700 unique Joker malware apps before they were ever downloaded by users.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com