Microsoft has shared its detailed technical analysis of the persistent problem of ‘toll fraud’ apps on Android, which it said remains one of the most prevalent types of Android malware.
Microsoft’s 365 Defender Team points out that ‘toll billing’, or Wireless Application Protocol (WAP) fraud, is more complex than SMS fraud or call fraud because of its multi-step attack flow that developers are improving.
WAP fraud involves using an infected device to connect to payment pages of a premium service via a device’s WAP connection. From there, payments are automatically charged to a device’s phone bill.
Microsoft explains in a blogpost, entitled ‘Toll fraud malware: How an Android application can drain your wallet’, that WAP fraud malware on Android is capable of targeting users of specific network operators and uses dynamic code loading — a method for hiding malicious behavior.
When targeting users in regions, toll fraud Android malware only operates if the device is subscribed to a list of targeted network operators. And, by default, it uses a cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available, according to Microsoft.
“Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user’s consent, in some cases even intercepting the one-time password (OTP) to do so,” Microsoft explains.
“It then suppresses SMS notifications related to the subscription to prevent the user from becoming aware of the fraudulent transaction and unsubscribing from the service.”
The steps WAP malware follows according to Microsoft include:
- Disable the Wi-Fi connection or wait for the user to switch to a mobile network
- Silently navigate to the subscription page
- Auto-click the subscription button
- Intercept the OTP
- Send the OTP to the service provider
- Cancel the SMS notifications
Microsoft highlights ways that WAP fraud malware avoids Google’s permissions-based model for restricting behavior on Android. In this case, it’s done to target users within a specific country or region.
“One significant and permissionless inspection that the malware does before performing these steps is to identify the subscriber’s country and mobile network through the mobile country codes (MCC) and mobile network codes (MNC),” Microsoft said.
The firm also offers a detailed technical analysis of how WAP malware forces cellular communication, and how it fetches premium service offers and initiates subscriptions, and intercepts OTPs and surprise notifications.
So, what can users do to protect themselves?
Microsoft recommends users only install apps from the Google Play Store or other trusted services.
It also recommends users avoid granting powerful permissions that are not commonly needed, such as SMS permissions, notification listener access, “or accessibility access to any applications without a strong understanding of why the application needs it.”
To tackle dynamic loading, Google’s Play Store Developer Program Policy includes a section on dynamic loading in a note on backdoors. Google has also introduced API restrictions to address this issue.
“If an app allows dynamic code loading and the dynamically loaded code is extracting text messages, it will be classified as a backdoor malware,” Google notes.
Google in 2020 removed 1,700 apps from the Play Store that had been submitted since 2017 and were infected with variants of Bread group (aka Joker) WAP fraud malware.
While Google detected and booted many Bread apps, the group behind it kept making minor tweaks to evade detection.