According to the published Google’s report, since 2017 to the present time, experts have found a total of about 1700 applications infected with malware Joker (aka Bread). At least one such family of malware was noticed by CSIS Security Group specialists and entered Google Play: 24 malicious applications were downloaded more than 472,000 times in September 2019.
Google experts say that at different times they observed three or more active variants of the malware, using different approaches and targeting different devices. But sometimes there were peak periods when up to 23 different applications showed activity during one day. Often, these were just clones of various popular applications from the Google Play catalog.
Initially, the malware was designed to implement SMS fraud, but since then much has changed, especially after the introduction of a new policy restricting the use of SEND_SMS, as well as increasing the protection of Google Play Protect. Because of this, new versions of Joker use a different type of fraud: they trick their victims into subscribing to various types of content or buying it by paying from a mobile phone bill. To do this without user interaction, Malvari operators use click injections, custom HTML parsers, and SMS receivers.
Experts note that many Joker samples seem to have been created specifically for the sake of trying to sneak into the Google Play directory and have not been seen anywhere else.