SMS Frauding Malware Joker (Also, Bread) comes in the hands of Google, Google has already removed 1,700 apps from Play Store. There are 24 apps included in the list with over 500k downloads.
Due to the introduction of new policies, Play Protect start defending against organized persistent attacker “Joker”. The app with Joker malware performs WAP Billing that leads to SMS as well as Toll Fraud. New policies have restricted the use of SEND_SMS permission.
According to a Blog Post from Google, The Malware initiates the fraud by sending SMS to start paid services from the device without any interaction with the user. Such deceptive apps without consent from the user lead to billing fraud. The subscription has been done without clicking on the confirm button by the user, also, the contact number to cancel it is not real.
Bread has also leveraged an abuse tactic unique to app stores: versioning. Some apps have started with clean versions, in an attempt to grow user bases and build the developer accounts’ reputations. Only later is the malicious code introduced, through an update. However, GPP does not treat new apps and updates any differently from an analysis perspective.Google Blog Post
In the toll fraud category, users pay by visiting a carriers page and entering the phone number. Users get tricked to subscribing to different content as the app already has the SMS authentication. The combination of injected clicks, custom HTML parsers, and SMS receivers leads to the automatic billing process.