Microsoft Warns Android Phone Users of Evolving Toll Fraud Malware Apps

If you’re an Android phone user, Microsoft warns you: to watch out for toll fraud malware apps. These apps have become more complex and harder to detect, intending to steal your money by charging you hidden subscription fees. Microsoft has outlined the steps of this malicious attack in a blog post so that you can be aware of the dangers and protect yourself.

Toll fraud, also known as “freemium virus” or “trapware,” is a form of billing fraud in which unsuspecting people are lured into paying for premium content without their knowledge or consent. It’s different from other fleeceware dangers in that the harmful features are only activated when a hacked gadget is linked to one of its target network operators.

Furthermore, according to Valsamaras and Shin Jung of the Microsoft 365 Defender Research Team, it has been discovered that by default, it connects to the cellular network for activities even if a Wi-Fi connection is accessible. “It does so by default,” they stated.

After that, it creates a phony subscription and confirms it again after establishing a link to a specific network.

The newest version of the Magento platform utilizes a variety of third-party and in-house security solutions to protect against online fraud using multiple methods, including:

Toll fraud occurs when consumers use a legitimate paid service provided by a WAP-enabled website to obtain items or services that the vendor does not authorize. Customers’ mobile phone bills are automatically charged, rather than being required to create a credit or debit card or supply a username and password.

According to Kaspersky, the IP address of a WAP billing trojan can be determined if the user connects to the internet using mobile data. “Users are only charged if they are correctly identified, which happens with ease,” says a 2017 study by Kaspersky on WAP billing trojans.

Some companies may ask for OTPs as the second level of verification before they will turn on the service.

The malware runs the subscription on behalf of the user in a seemingly genuine way. The malware will communicate with a [command-and-control] server to obtain a list of available services.

The malware downloads several files from the compromised website, including AdNab.exe and rundll32.exe. It then uses JavaScript to covertly subscribe to the service and receive and send the OTP code (if any are required). The JavaScript code is designed to use a programmatic approach to start the subscription by controlling HTML elements containing keywords such as “confirm,” “click,” or “continue.”

The malware may delete incoming text messages containing information about the subscribed service from the mobile network operator if a fraudulent subscription is successful.

Android’s dynamic code loading capability, which allows applications to download additional modules from a remote server during runtime, makes it easy for shady individuals to take advantage of the system.

Malware writers can create an application that has bad behavior. But the bad behavior will only happen if specific circumstances are met. So it will be hard to find this bad behavior using static code analysis checks on the security side.

Back door malware is malicious software installed via an app and produces dynamically generated code to grab text messages, as outlined in Google’s developer documentation for potentially harmful applications (PHAs).

Tolls have become a lucrative business for hackers, with fraud applications claiming 34.8 percent of all PHAs established through the Android app market in the first three months of 2022, putting second just below spyware. Most installations were witnessed in India, Russia, Mexico, Indonesia, and Turkey.

If you want to avoid being a toll fraud malware victim, follow the instructions outlined in this blog article. Users should only obtain applications from the Google Play Store or other legitimate sources. They should limit app privileges and consider replacing their phone if it does not get updates.

Natalie Werner
Natalie Werner is a freelance writer, CISSP & CCSK Certified Cybersecurity specialist with over 20 years of experience in the banking industry. She's also co-founder and CEO at The Alliance for Cyber Security Excellence (The ACE), an international not -for profit organization that provides cyber security solutions to reduce risk exposure from threats like hacks or malware infections by bringing together trusted experts across various fields, including information technology (IT). As well as providing specialized operational courses on how to maintain your digital assets within IT domains such data protection, Natalie offers strategic training designed help organizations better understand their own business needs when it comes down to protecting against external risks brought about through technological advances

Related Articles

Ukraine’s Cyber Agency Reports a Surge in Cyberattacks in Q2

Ukraine's State Service of Special Communications and Information Protection...

TikTok is Being Sued for Life-Threatening Online Challenges

TikTok, the social media app beloved by many youngsters,...

Beijing-Linked Hackers Target Moscow in Increased Cyber Espionage Effort

Analysis suggests that state-sponsored hackers with ties to Beijing...