Microsoft has shared its detailed technical analysis of the persistent problem of “toll fraud” apps on Android, which it said remains one of the most common forms of Android malware.
Microsoft’s 365 Defender team points out that “toll billing,” or WAP (Wireless Application Protocol) fraud, is more complex than SMS or call fraud because of the multi-step attack flow that developers are improving.
WAP fraud uses an infected device to connect to premium service payment pages through a device’s WAP connection. From there, payments are automatically charged to a device’s phone bill.
Microsoft explains in a blog posttitled “Toll fraud malware: How an Android application can drain your wallet,” WAP fraud malware on Android can target users of specific network operators and uses dynamic code loading – a method of hiding malicious behavior.
When targeting users in regions, toll fraud Android malware only works if the device is subscribed to a list of targeted network operators. And by default, it uses a cellular connection for its operations, forcing devices to connect to the cellular network even when a Wi-Fi connection is available, according to Microsoft.
“Once the connection to a target network is confirmed, it will secretly start a fraudulent subscription and confirm without the user’s consent, in some cases even the one-time password (OTP) to do this,” explains Microsoft.
“It then suppresses SMS notifications related to the subscription to prevent the user from becoming aware of the fraudulent transaction and opting out of the service.”
The steps that WAP malware follows according to Microsoft include:
- Turn off the Wi-Fi connection or wait for the user to switch to a mobile network
- Silently navigate to the subscription page
- Automatically click the subscription button
- Intercept the OTP
- Send the OTP to the service provider
- Cancel the SMS notifications
Microsoft highlights ways in which WAP fraud malware avoids Google’s permissions-based model of restricting behavior on Android. In this case, it is done to target users in a specific country or region.
“An important unauthorized inspection that the malware performs before performing these steps is identifying the subscriber’s country and mobile network via the mobile country codes (MCC) and mobile network codes (MNC),” Microsoft said.
The company also provides a detailed technical analysis of how WAP malware enforces mobile communications, retrieves premium service offers and initiates subscriptions, and intercepts OTPs and surprise notifications.
So, what can users do to protect themselves?
Microsoft recommends that users only install apps from the Google Play Store or other trusted services.
It also advises users not to grant strong permissions that are not often needed, such as SMS permissions, notification listener access, “or accessibility access to applications without a good understanding of why the application needs it.”
To address dynamic loading, the Google Play Store Developer Program Policy includes a section on dynamic loading in a note on backdoors. Google has also introduced API restrictions to address this issue.
“If an app allows dynamic loading of code and the dynamically loaded code extracts text messages, it is classified as a backdoor malware.” google notes†
google 1,700 apps removed from the Play Store in 2020 submitted since 2017 and infected with variants of Bread group (aka Joker) WAP fraud malware.
While Google discovered and launched many Bread apps, the group behind it continued to make minor tweaks to evade detection.