Joker (Bread)¶
Joker is the most persistent billing fraud family on Android, tracked internally by Google as "Bread." Active since 2017, it has maintained a continuous presence on the Google Play Store through thousands of variants that cycle through evasion techniques faster than automated defenses can adapt. The family monetizes through WAP billing fraud, premium SMS subscriptions, and silent enrollment in paid services, generating revenue by charging victims through their phone bills.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2017 |
| Status | Active |
| Type | Billing fraud, premium SMS, subscription fraud |
| Attribution | Unknown, likely multiple independent operators |
| Aliases | Bread (Google), Joker, FaceStealer (some variants) |
Origin and Lineage¶
Joker was first identified in the wild in 2017 and documented by Aleksejs Kuprins at CSIS Security Group in 2019 after discovery in 24 apps with over 472,000 combined installs. Google's Android Security team began tracking the family as "Bread" in early 2017 and published a detailed analysis in January 2020 revealing they had already removed over 1,700 infected apps from the Play Store. The family name "Joker" comes from one of the early C2 server domains.
There is no single operator behind Joker. The low barrier to entry and high profitability of billing fraud means multiple independent threat actors build and submit Joker variants simultaneously. Google reported receiving up to 23 new Joker submissions in a single day during peak activity.
Distribution¶
Joker distributes exclusively through the Google Play Store. The entire operational model depends on getting past Play Protect and app review. Distribution tactics include:
| Tactic | Description |
|---|---|
| Functional wrapper apps | Malicious code injected into legitimate utility apps (QR scanners, wallpaper apps, PDF tools, messaging apps) |
| Versioning | Upload a clean app, build user base, push malicious update |
| Minimal initial payload | First submission contains only a dropper; malicious payload downloaded from C2 post-install |
| Category rotation | Shift between app categories to avoid pattern detection |
| Developer account cycling | Burn and replace developer accounts when banned |
Typical app categories abused: camera utilities, wallpapers, emoji keyboards, messaging clients, health trackers, PDF readers, and translation tools.
Capabilities¶
Fraud Mechanisms¶
| Mechanism | Description |
|---|---|
| WAP billing | Connects to premium service payment pages over the device's mobile data connection; charges appear on phone bill |
| Premium SMS | Sends SMS to premium-rate short codes |
| Subscription fraud | Opens invisible WebViews to subscription pages, auto-fills phone number, intercepts confirmation OTP via SMS |
WAP billing is the primary revenue source. The malware forces the device onto mobile data (disabling Wi-Fi if needed), navigates to carrier billing pages, and completes the subscription flow programmatically. After Google restricted SEND_SMS permissions in 2019, the family shifted almost entirely from premium SMS to WAP/toll fraud. Kaspersky published a detailed comparison of subscription trojans covering Joker alongside MobOk, Vesub, and GriftHorse, documenting the WAP billing abuse and SMS interception techniques each family uses.
Evasion Evolution¶
Joker's defining characteristic is the speed at which it iterates evasion techniques. Google's 2020 blog post describes this as an arms race. Zscaler ThreatLabz and Trend Micro have published analyses tracking this progression:
| Era | Technique | Details |
|---|---|---|
| 2017-2018 | Direct SMS fraud | Called SMS APIs directly; detected quickly after Google tightened SEND_SMS policy |
| 2018-2019 | String encryption | AES, Blowfish, DES, and combinations to hide C2 addresses and payload URLs from static scanners |
| 2019 | Java reflection | Used Reflect API on decrypted strings at runtime to hide API calls from static analysis |
| 2019-2020 | Native code | Moved core logic to .so libraries; harder for bytecode-level scanners to inspect |
| 2020 | Versioning | Submitted clean apps, pushed malicious payloads in updates |
| 2020-2021 | Commercial packers | Used Qihoo360, AliProtect, SecShell to wrap payloads |
| 2021 | GitHub payload hosting | Stored payloads on GitHub Pages to avoid domain blocklists |
| 2021-2022 | URL shortener chains | Used TinyURL, bit.ly, Rebrand.ly, zws.im to mask payload URLs from known-bad domain lists |
| 2022+ | Multi-stage droppers | Play Store app contains only loader; fetches encrypted intermediate payload; intermediate fetches final payload |
Payload Obfuscation¶
Encryption across Joker variants is not standardized. Zscaler documented the following approaches across different variants:
| Method | Usage |
|---|---|
| AES + Base64 | Most common string encryption; each class may use a different key |
| XOR | Basic payload encryption in early variants |
| Nested XOR | Multiple XOR rounds with different keys |
| DES / Blowfish | Less common but observed in specific campaigns |
| Custom key derivation | Per-class or per-method keys generated at runtime |
| Asset file disguise | Payloads hidden as .json, .ttf, .png, or .db files in the assets directory |
Technical Details¶
Infection Flow¶
Play Store App (clean-looking utility)
→ attachBaseContext() loads dropper component
→ Dropper decrypts embedded or downloaded stage-2 payload
→ Stage-2 contacts C2 for configuration (target country, carrier, subscription URLs)
→ Checks MCC (Mobile Country Code) against target list
→ If match: disables Wi-Fi, forces mobile data
→ Opens WAP billing page in invisible WebView
→ Injects JavaScript to auto-fill phone number and confirm subscription
→ Intercepts SMS confirmation code via NotificationListenerService or BroadcastReceiver
→ Submits OTP to complete enrollment
→ Deletes confirmation SMS
C2 Communication¶
C2 addresses are hidden using the techniques described in the evasion table. Common patterns include:
- Encrypted strings in
strings.xmlor class constants, decrypted at runtime - C2 URLs split across multiple string variables, concatenated at runtime (e.g., the string "sticker" inserted as a delimiter between URL fragments)
- Cloud storage services (Firebase, GitHub) used as intermediate payload hosts
- Some variants use no persistent C2: the entire configuration is baked into the downloaded payload
Country Targeting¶
Joker variants typically embed a list of target Mobile Country Codes (MCC). If the device SIM does not match a targeted country, the malware does not activate. This selective targeting reduces exposure and helps avoid detection in regions where researchers are more active. Common target regions include Southeast Asia, the Middle East, and Western Europe.
Target Regions¶
Joker targets countries where WAP billing and premium SMS services are active and profitable. Primary targets have included:
| Region | Countries |
|---|---|
| Europe | UK, Germany, France, Spain, Italy, Netherlands |
| Asia | India, Thailand, Malaysia, Indonesia, China |
| Middle East | Saudi Arabia, UAE, Kuwait |
| Americas | Brazil, Argentina |
| Oceania | Australia |
Coverage varies by variant. Operators select targets based on which carriers have exploitable billing flows.
Notable Campaigns¶
2019, September: CSIS researcher Aleksejs Kuprins publishes initial analysis identifying Joker in 24 Google Play apps with 472,000+ downloads. Documents SMS theft, contact exfiltration, and premium service enrollment.
2020, January: Google publishes "PHA Family Highlights: Bread (and Friends)", revealing 1,700+ apps removed since 2017 and describing the ongoing cat-and-mouse with Bread operators.
2020, July: Check Point Research identifies a new variant using the old technique of hiding payloads inside the Android Manifest file, evading updated Play Protect signatures.
2020, September: Google removes 17 Joker-infected apps with 120,000+ combined downloads after detection by Zscaler ThreatLabz.
2020, November: Trend Micro documents Joker variants using GitHub and GitHub Pages to host payloads, a technique not previously observed in the family.
2021, June: Zscaler finds additional Joker apps on Google Play using URL shortener chains and multi-layer encryption to hide payload delivery.
2022, July: Pradeo identifies Joker variants with over 100,000 installs, confirming the family's continued Play Store presence five years after initial discovery.
2022, August: Zscaler reports Joker alongside Facestealer and Coper in a batch of malicious Google Play apps, showing the family remains part of the active Play Store threat landscape.