Google has eliminated 1,700 apps that were affected with malware dubbed Bread, also known as Joker. Google says that the apps were canceled before users could even download them but the fact that they still made their way to the Play Store is quite saddening.
Bread malware has been evolving since Google started tracking it in 2017. It somehow managed to go past the Play Store’s security. Researchers Alec Guertin and Vadim Kotov state, “Bread apps were forced to continually iterate to search for gaps. They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere.”
The core functioning of the malware relies on SMS or toll fraud that charges the victims and also uses numerous confusing techniques that don’t raise any eyebrows. Fake reviews, too, are a part of this ruse.
The researchers explain, “Bread has also leveraged an abuse tactic unique to app stores: versioning. Some apps have started with clean versions, in an attempt to grow user bases and build the developer accounts’ reputations. Only later is the malicious code introduced, through an update.”
“Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers. At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day,” Guertin and Kotov add.