Bread apps have misled users by showing fake contact information, and commencing the billing process even if the user hasn’t hit the ‘Confirm’ button.
Google removed 24 Bread apps in September last year
Google Play regularly removes malware apps from its library after the activity is reported via bug bounty or they are detected through its Play Protect and other security mechanisms. One such PHA family that has been on Google's radar for a while now is the ‘Bread' or ‘Joker' family of malware. The tech giant removed 24 apps with the ‘Joker' malware last year in September, and these apps had managed to gather over 500,000 downloads before being de-listed. Now, Google has detailed a bit more about this new malware, claiming that it's a harmful ‘large-scale billing fraud family' that has tried everything under the sun to go past Google's security walls and bill people unethically.
Traces of ‘Joker' or ‘Bread' malware family go back to 2017, wherein it first indulged in SMS fraud and later moved on to toll fraud after Google restricted use of SMS permission. Google claims that they have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. After Google started restricting use of the SEND_SMS permission and increased coverage by Google Play Protect, the malware family moved on to toll billing, wherein the user has to visit a URL to complete billing and enter their phone number. Malware authors use injected clicks, custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user.
Bread apps have tried to use standard crypto libraries, custom-implemented encryption algorithms, some obfuscation methods utilizing JavaScript in WebViews, and several commercially available packers including - Qihoo360, AliProtect and SecShell – to go undetected. Bread apps also misled users by showing a pop-up that need to read out full terms and conditions, but the text is usually filled with a basic welcome message. Furthermore, these apps have fake contact information, and the billing process commences even if you don't hit the “Confirm” button. Google says Bread apps frequently contain no functionality beyond the billing process or simply clone content from other popular apps.
These malicious apps have also tried to start out as clean apps to sneak through the security walls, and the malicious code is entered later via an update. The early versions of these apps are also then manually filled with fake reviews in order to build a false reputation and misguide the user. “At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day. At other times, Bread appears to abandon hope of making a variant successful and we see a gap of a week or longer before the next variant. This family showcases the amount of resources that malware authors now have to expend. Google Play Protect is constantly updating detection engines and warning users of malicious apps installed on their device,” the tech giant notes in its blog.
While all this bad play may sound scary, Google says that it has detected and removed 1,700 unique Bread apps from the Play Store before ever being downloaded by users. We recommend Android users to only download apps from known companies and developers, and scan all the other apps with extra vigilance. Ensure that your phones have good virus protection software installed.
For details of the latest launches and news from Samsung, Xiaomi, Realme, OnePlus, Oppo and other companies at the Mobile World Congress in Barcelona, visit our MWC 2025 hub.