Google Removes Nearly 1700 Malware-Infected Apps

Published on January 10, 2020

Google said it has removed more than 1,700 Android apps infected with the malware Bread (Joker) since 2017. Google has defined the operation as one of the most persistent challenges in the company’s history.

While malware operators have a tendency to give up once Google locates their softwares, the Bread group allegedly never did. Bread operators have been fabricating new models of their virus on a weekly basis. Following the introduction of new Play Store policies, Joker apps have withdrawn as the policy restricts SEND_SMS permissions. They follow meticulous methods when coding in order to avoid being detected by Google Play Store and mobile carriers. While this method helped for a bit, they were ultimately taken down. These apps resemble popular ones from Google Play; while appearing to be trustworthy, they also leave users vulnerable to the possibility of fraud.

Google warns us that some apps are allowed unauthorized access to your device. This is due to Play Protect detecting a crack in those apps that may steal and send your data. They are described as PHAs (Potentially Harmful Applications). Google reports the quantity of apps that have been banned from its online store because of shady reasons and the number increases each year. It appears they are still deeply persistent.

Over the years, the malware operators have kept the same modus operandi. They focus on making enough small changes, just to find a breach of security in Google’s Play Store defenses. It was a hit or miss. Sometimes it wouldn’t work, sometimes it would.

This was seen in September of 2019, when security researcher Aleksejs Kuprins found 24 apps infected with the Bread malware that made its way into the Play Store. In October of the same year, Pradeo Labs found another infected app. Sometime later, Trend Micro found 29 infected apps while K7 Security found four more. The Google reports also document when exactly Bread-infected apps made it into the system.

In a blog post, Google admitted that the operators had used every single method in their attempts to go unnoticed. No, this kind of malware isn’t regarded as sophisticated; they are simply more persistent than the others. Google added that the “sheer volume appears to be the preferred approach for Bread developer.”

In addition, it was also said that Google had noticed the Bread malware pattern on the Play Store, which means that the cybernetic bullies knew exactly who to target from the very beginning. They never cared about their success; they just went at it.

The technique that helped the Bread malware gang make it past Play Store’s version of TSA is referred to as “Versioning.” Basically, the group releases a clean app without any toxic and malicious traits. Then, through app updates, they add the dangerous components to the app and, therefore, people’s mobile devices. After making its way past Google’s security system, Bread uses fake reviews in order to boost up their app’s reputation and cancel out the effects of negative reviews. As a bonus, they utilize Youtube Ads on the site’s videos to gain traffic and guide users towards the app, in the means to infect as many phones and computers as possible.

The Bread malware group has a history regarding its missions. Regardless, it was still about financial fraud. Initial versions of their tainted apps concentrated on SMS fraud. This refers to the practice of using an infected device to pay for unwanted and unknown services by sending an SMS to a premium number. In hindsight, I always knew this was suspicious. As expected, Google came back stronger and enforced stricter regulations for Android apps. Bread, however, simply changed strategies, switching to WAP fraud.

Known as toll billing, WAP fraud is the term used when hackers opt to use infected devices in connecting to payment pages through a WAP connection. The payment is automatically charged to a phone bill. This technique, as well as SMS, is desirable to cybernetic criminals such as Bread. Mainly because the billing only requires device verification, and not verification from the actual user themselves, companies cannot tell the difference between an average user and a member of Bread. The persistence of these individuals has proven that they are indeed profiting from these crimes.

All we have to remember here is that if they are not giving up, neither are we. As of now, the only thing I know to do is pay attention to the negative reviews and hope I learn better.

Argenis Ovalles is an Editorial Intern at Grit Daily. He currently writes at Vocal Media and Theater Pizzazz.

Read more

More GD News