Google said yesterday it successfully removed more than 1,700 apps submitted to the Play Store over the past three years that had been infected with various versions of the Bread malware, also known as Joker.
Google described this malware operation as one of the most persistent threats it dealt with during the last few years.
While most malware operators give up once Google detects their apps, the Bread group never did. For more than three years, since 2017, Bread operators have been churning out new versions of their malware on a weekly basis.
Persistence and sheer volume
Over the years, their modus operandi was always the same, focusing on making small changes here and there, with the purpose of finding a gap in Google's Play Store defenses and security checks.
Google's security team said the malware was not what someone would call sophisticated, but just more persistent than others.
"Sheer volume appears to be the preferred approach for Bread developers," Google said.
"At different times, we have seen three or more active variants using different approaches or targeting different carriers," Google added. "At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day."
Google also said that Bread malware strains have also been spotted on the Play Store, suggesting this malware operation knew what and who to target from the get-go and never deviated from its path even if they weren't initially successful.
Fake reviews and YouTube ads
But as Google admitted, and others have pointed out, there have been some gaps in the Play Store defenses, which the Bread team exploited.
In most cases, the trick that helped the Bread malware crew make it past Play Store security reviews was a technique called "versioning" -- which refers to uploading a clean version of the app and then adding malicious functions at later points via app updates.
To make sure they infect as many users as possible, Invictus Europe (and others) say the Bread group often used YouTube videos to direct users towards malicious apps, boosting app features in an attempt to infect as many users as possible.
In addition, Google says it seen the Bread gang often use fake reviews to boost their app's reputation and drown out negative ones.
From SMS fraud to WAP billing
According to Google, the primary focus of this malware operation was financial fraud. Initial versions of the Bread malware focused on SMS fraud, which refers to the practice of using an infected device to pay for unwanted products or services by sending an SMS to a premium number.
When Google introduced stronger and stricter permissions for Android apps that wanted to access a device's SMS function, the Bread gang simply changed tactics, switching to WAP fraud.
WAP fraud, also known as toll billing, refers to hackers using infected devices to connect to payment pages via a device's WAP connection, with the payment being automatically charged to a device's phone bill.
Both SMS and WAP fraud have been very popular among malware developers for years. This is because both of these billing methods use device verification, but not user verification.
Mobile telcos can verify that a request came from a victim's device, but they can't tell if the request was carried out by the user, or was been automated by a script or by malware.
WAP malware used to be a big problem in the mobile world in the late 2000s and early 2010s. In 2017, this reporter wrote about a trend in the Android malware scene about the resurgence of WAP trojans. At the time, in 2017, WAP trojans like Ubsod, Xafekopy, Autosus, and Podec made a sudden, unexpected, and unexplained comeback after years of silence.
As Google pointed out yesterday, the Bread operation appears to be the pinnacle of this comeback, being the most active and most persistent among all.
Based on their sheer persistence, they appear to have made considerable profits; otherwise, they would have most likely given up.
"This family showcases the amount of resources that malware authors now have to expend," Google said.