The Joker toll fraud family is one of the well known Android malware families. For more than six years they have been sending malicious apps to the Play Store during which time they have become very proficient at hiding their code and behavior from app analysis systems. They quickly adapt to Google detection infrastructure improvements and constantly change their behavior.

For one variant in particular it was identified that the actors were using newly registered domains and never reusing them for other apps. It is extremely hard to discover such domains because they use different registration details and domains have meaningful names sometimes. However we discovered a flaw in their infrastructure that allowed us to quickly identify new apps before they are distributed to users.

In this talk we'll cover common tactics used by the Joker toll fraud family and go in depth on a flaw we discovered wherein the Joker threat actors would spin up new back end infrastructure making use of default configurations to service new app campaigns. Through this flaw we have been able to develop an early detection mechanism leveraging Censys APIs which allows us to identify new Toll Fraud apps in almost-real-time, and prevent the publication of malicious apps to the Play store to protect Android users.