Install App Install App

Google removes 17 apps infected with the Joker (Bread) malware

By Sameer Mitha | Published on 28 Sep 2020
  • The Joker (Bread) malware is one of the most persistent malware that Google has dealt with.

  • The 17 apps that have been removed include scanning apps, messaging apps, a Multi-functional Translator and more.

  • The apps were downloaded 120,000 times before being detected.

Google removes 17 apps infected with the Joker (Bread) malware
Google removes 17 apps infected with the Joker (Bread) malware

Google has removed 17 apps from the Google Play Store for being infected by the Joker (Bread) malware. This is one of the most persistent malware we have seen on Google’s mobile OS and the company has been dealing with it since 2017. In that time, Google has removed more than 1700 apps that have been plagued by the Joker malware. These 17 apps were downloaded 120,000 times before being detected. The list of 17 apps is as follows. 

  • All Good PDF Scanner
  • Mint Leaf Message-Your Private Message
  • Unique Keyboard - Fancy Fonts & Free Emoticons
  • Tangram App Lock
  • Direct Messenger
  • Private SMS
  • One Sentence Translator - Multifunctional Translator
  • Style Photo Collage
  • Meticulous Scanner
  • Desire Translate
  • Talent Photo Editor - Blur focus
  • Care Message
  • Part Message
  • Paper Doc Scanner
  • Blue Scanner
  • Hummingbird PDF Converter - Photo to PDF
  • All Good PDF Scanner

According to Zscaler security, “This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services”. In July 2020 and in September 2019, we saw the Joker malware make headlines. 

So why can’t Google’s Play Protect detect the Joker Malware?

The malware uses a method called “Droppers” to infect the device. The process has multiple stages. According to Bleeping Computer, “Malware authors have realized in the past years that Google has a very hard time picking up "droppers" hidden in legitimate apps. For the past years, more and more malware operations have adopted this trick of splitting their code in two —a dropper and the actual malware. The reason is that droppers require a smaller number of permissions and exhibit limited behaviour that could be classified as malicious. Furthermore, adding timers that delay the execution of any malicious code with a few hours also helps the malware remain undetected during Google's scans. These simple tricks allow tiny pieces of malicious code to slip inside the Play Store hidden in all sorts of apps, of many categories. Once users run the apps, which in most cases do what they advertise, the malicious code executes, the droppers asks for various permissions, and if it gets them, then it downloads a far more potent malware”.

Put simply, the delay in the malware acting on the user’s system hides it from the security eyes of Google. When the app asks for permissions, and the user gives it, is when the malware start to infect the device. This is why you must be very careful when giving certain apps permissions they don't need. For example, there is no need for a torch app to ask for permission to see the contacts or the dialer or the messages and hence such permissions must be denied.

Sameer Mitha
Sameer Mitha

Email Email Sameer Mitha

Follow Us Facebook Logo Facebook Logo Facebook Logo

About Me: Sameer Mitha lives for gaming and technology is his muse. When he isn’t busy playing with gadgets or video games he delves into the world of fantasy novels. Read More

android google play store google play store joker joker malware bread bread malware malicious apps joker malware apps Protection Status