These new Billing Fraud Apps on Google Play Store were downloaded by over 750K Android users

A set of apps responsible for fraudulent activities have been discovered by a team of researchers. These applications were present on the Google Play Store responsible for hijacking notification of SMS messages for billing scam. Most of the users that were targeted by the apps were from Southwest Asia and from the Arabian Peninsula. The app successfully managed to reach more than 750K downloads before being uncovered by the researchers and getting removed from the hosting platform. Two cyber security firms namely McAfee and Trend Micro were the first to report these findings independently.

According to the researchers from McAfee, these apps used to depict themselves as photo editors, wallpapers, keyboard skins, puzzles and many other apps related to the camera. Later these applications would hijack the SMS notification by the embedded malware and would start unauthorized purchases from the hacked user. It was found that these fraudulent apps were the property of the commonly known as joker also known as Bread. For the past four years this malware has been successfully able to sneak through the Google Play reviewers, repeatedly as a result, Google took down almost 1700 infected applications at the beginning of the year 2020, with this malware. Currently, McAfee is also tracking down an other potential threat with a different moniker named as Etinu.

This malware is well known for committing frauds related to payments through the spyware capabilities that it holds which includes the ability to steal the SMS messages, device data and information as well the user’s contact list. The developers of this malware uses a method known as versioning that can help them to upload a malware free version of the app in order to gain trust from the Play Store users and once the app is installed, the fraudulent codes are introduced through the updated version of the application later. This is how they manage to slip past the review process.

The additional codes that are introduced as a payload for first stage, which is actually a deception that these codes are harmless, while they are establishing with C2 also known as the command and control in order to revive a hidden key which is used to decode the file. This mid state payload ultimately decrypt and the malware is installed. After investigating the C2 service, it was discovered that all personal information including phone number, SMS messages, IP address , carrier, network status and country was gathered. A list with 9 apps with this malware was also released. Which had names including:
  • Keyboard Wallpaper
  • 2021 wallpaper and Keyboard
  • Barber Prank Hair Dryer, Clipper and Scissors
  • PIP Photo maker
  • Pop Ringtones for Android
  • Picture Editor
  • PIP Camera
  • Cool Girl Wallpaper
In a statement given by Trend Micro researchers they stated that based on how the developers of Joker continuously makes sure that malware stays persistent on the Google Play Store even though it has been taken down many times. They said its a proof that the developers are earning profit from this method.

Read next: Users in Major Countries Targeted by A Fake Facebook Messenger Update Scam


  1. I got scammed by a company at charged $59.63.
    how do I get this charge reversed.
    please advise asap.

Previous Post Next Post