A new generation of Android scamware employs several tricks to register users to costly services.
According to Microsoft, Android malware developers have stepped up their billing fraud games with applications that disable WiFi connections, covertly subscribe individuals to costly wireless services and intercept messages.
This threat has long loomed on the platform, as exemplified by Joker, a malware family that affected millions of cellphones since 2016. Despite awareness, little attention is paid to techniques toll fraud malware utilizes. Then comes Microsoft, which has released a technical insight on the problem.
WAP mechanism
Also known as wireless application protocol, WAP provides a way to access data over mobile networks. WAP is the commonly abused billing mechanism in this fraud.
Cellphone users can register for these services by exploring service providers’ website pages while their smartphones are connected to cell phone services and clicking the button.
In some instances, carriers will respond by messaging a ‘one-time password (OTP)’ to cell phones and requiring users to send it back to verify the registration request.
These malicious applications’ objective is to automatically register infected cellphones to WAP services automatically, without the consent or notice of an owner.
How do they do it?
Microsoft researchers believe malicious apps achieve this by following steps:
- Disconnect the WiFi (or wait for a while, so the user turns to mobile networks)
- Secretly navigate subscription pages
- Auto-click subscription button
- Intercept OTP (when applicable)
- Send OTP to provider, when applicable
- Cancel SMS notifications, if applicable
“By subscribing users to premium services, this malware can lead to victims receiving significant mobile bill charges”, Microsoft researchers wrote. “Affected devices also have increased risk because this threat manages to evade detection and can achieve a high number of installations before a single variant gets removed.”
Tip: Popular apps for tracking children are extremely vulnerable
14 hours ago
