Google said yesterday it successfully removed more than 1,700 apps submitted to the Play Store over the past three years that had been infected with various versions of the Bread malware, also known as Joker.
Google described this malware operation as one of the most persistent threats it dealt with during the last few years.
While most malware operators give up once Google detects their apps, the Bread group never did. For more than three years, since 2017, Bread operators have been churning out new versions of their malware on a weekly basis.
Persistence and sheer volume
Over the years, their modus operandi was always the same, focusing on making small changes here and there, with the purpose of finding a gap in Google’s Play Store defenses and security checks.
While most of the time, this didn’t work, sometimes it did. For example, in September 2019, security researcher Aleksejs Kuprins found 24 apps infected with the Bread (Joker) malware that slipped into the Play Store. A month later, Pradeo Labs found another Bread (Joker)-infected app. Trend Micro also found 29 Bread-infected apps a few days later. A few days after that, K7 Security found four other apps that slipped on the Play Store as well. Then Dr.Web found eight other apps, and Kasperksy found four more. This goes on and on. This Google Docs spreadsheet contains other instances of when the Bread (Joker) malware made it on the Play Store.
However, Google reports that most of the time, it was able to stop the malware from reaching its users, blocking more than 1,700 malicious app submissions from the Bread group.
In a blog post detailing its fight against the Bread gang published last night, Google said that the operators “have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.”
Google’s security team said the malware was not what someone would call sophisticated, but just more persistent than others.
“Sheer volume appears to be the preferred approach for Bread developers,” Google said.
“At different times, we have seen three or more active variants using different approaches or targeting different carriers,” Google added. “At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day.”
Google also said that Bread malware strains have also been spotted on the Play Store, suggesting this malware operation knew what and who to target from the get-go and never deviated from its path even if they weren’t initially successful.
Fake reviews and YouTube ads
But as Google admitted, and others have pointed out, there have been some gaps in the Play Store defenses, which the Bread team exploited.
In most cases, the trick that helped the Bread malware crew make it past Play Store security reviews was a technique called “versioning” — which refers to uploading a clean version of the app and then adding malicious functions at later points via app updates.
To make sure they infect as many users as possible, Invictus Europe (and others) say the Bread group often used YouTube videos to direct users towards malicious apps, boosting app features in an attempt to infect as many users as possible.
In addition, Google says it seen the Bread gang often use fake reviews to boost their app’s reputation and drown out negative ones.
From SMS fraud to WAP billing
According to Google, the primary focus of this malware operation was financial fraud. Initial versions of the Bread malware focused on SMS fraud, which refers to the practice of using an infected device to pay for unwanted products or services by sending an SMS to a premium number.
When Google introduced stronger and stricter permissions for Android apps that wanted to access a device’s SMS function, the Bread gang simply changed tactics, switching to WAP fraud.
WAP fraud, also known as toll billing, refers to hackers using infected devices to connect to payment pages via a device’s WAP connection, with the payment being automatically charged to a device’s phone bill.
Both SMS and WAP fraud have been very popular among malware developers for years. This is because both of these billing methods use device verification, but not user verification.
Mobile telcos can verify that a request came from a victim’s device, but they can’t tell if the request was carried out by the user, or was been automated by a script or by malware.
WAP malware used to be a big problem in the mobile world in the late 2000s and early 2010s. In 2017, this reporter wrote about a trend in the Android malware scene about the resurgence of WAP trojans. At the time, in 2017, WAP trojans like Ubsod, Xafekopy, Autosus, and Podec made a sudden, unexpected, and unexplained comeback after years of silence.
As Google pointed out yesterday, the Bread operation appears to be the pinnacle of this comeback, being the most active and most persistent among all.
Based on their sheer persistence, they appear to have made considerable profits; otherwise, they would have most likely given up.
“This family showcases the amount of resources that malware authors now have to expend,” Google said.