According to a warning from Microsoft, one of the most common Android risks, toll fraud malware, is expanding with capabilities that enable automated membership to premium services. The threat actor deceives victims into calling or sending an SMS to a premium number in toll fraud, a subset of billing fraud. The distinction is that toll fraud requires a mobile operator’s network connection because it cannot operate over WiFi.
In a recent report, Microsoft provides technical information on how Android users may protect themselves from toll fraud software. The Wireless Application Protocol (WAP), which enables customers to subscribe to premium content and add the fee to their phone bill, is how toll fraud operates. The consumer must click a subscription button to connect via the mobile network. Some services ask users to confirm their selection by sending a one-time password (OTP).
The fraudulent subscription is started, the OTPs are intercepted, and warnings that would alarm the victim are suppressed by malware that facilitates toll fraud. Microsoft has discovered many phases in the process that frequently take place without the users being aware of them:
- Turn off the WiFi or watch for the user to migrate to a mobile network
- Go to the subscription page covertly
- Auto-clicks the subscribe button
- Intercept the OTP (if applicable)
- Provide OTP to the service provider (if applicable)
- Cancel the SMS notifications (if applicable)
The malware begins by gathering information on the subscriber’s nation and mobile network, for which Android does not need the user’s consent. Disabling the WiFi connection and forcing the device to utilize the operator’s network is an important step. This is doable on Android 9 (API level 28) or before with a standard protection permission level. The ‘requestNetwork’ function, which is covered by the CHANGE_NETWORK_STATE permission and has a normal security level, is available for higher API levels. Microsoft demonstrated this with a piece of the Joker virus, which has continuously crept into Google’s Play Store for more than five years.
The malware that commits toll fraud then takes advantage of “NetworkCallbak” to track network activity and get the “networktype” variable to tie the process to a particular network, compelling the device to forgo a WiFi connection in favor of one provided by the mobile operator. The user can only get around this by manually turning off mobile data. The malware then attempts to automatically subscribe to a list of websites that provide premium services if the victim’s cell carrier is one of the targets. A user often clicks on an HTML element and subsequently sends a verification code to the server. However, there are other subscription possibilities as well.
“For the malware to do this automatically, it observes the page loading progress and injects JavaScript code designed to click HTML elements that initiate the subscription. As the user can only subscribe once to one service, the code also marks the HTML page using a cookie to avoid duplicate subscriptions” - Microsoft
Microsoft warns that further verification may occasionally be needed. The company’s analysis of toll fraud malware samples revealed techniques for doing that. Some carriers only complete the subscription after confirming that the customer allowed it by sending an OTP code through SMS, HTTP, or USSD (Unstructured Supplementary Service Data), the first two of which are the most common.
It’s fairly unusual for Android malware to steal SMS data. When collecting messages sent through the HTML protocol, the code must be processed to look for characters representing a verification token. The threat actor is free to finalize the membership to the chosen premium service once they have the authorization code. This is insufficient, though, as victims could get subscription-related alerts; thus, they must be blocked.
“Since API level 18, an application that extends the NotificationListenerService is authorized to suppress notifications triggered from other applications,” said Microsoft.
The creators of toll fraud malware often include features that make the harmful activity as covert as feasible. If the mobile network of the infected device is not on the list, one method is to keep the infection dormant. Another approach is to employ dynamic code loading, which only permits some code to load under particular circumstances. This makes it more challenging to detect the infection, particularly when using static analysis.
The key to preventing toll fraud malware from infecting your smartphone is to ensure that the source from which your Android is being downloaded is reliable, like Google’s Play Store. Moreover, it’s a good idea to review the permissions required during installation if you want to safeguard your privacy and lessen the likelihood that malware may take over your device. Microsoft also advises users to refrain from giving applications access to SMS, alerts, or accessibility unless these rights are necessary for proper operation.