Home » Microsoft Warns Android Phone Users of Evolving Toll Fraud Malware Apps

Microsoft Warns Android Phone Users of Evolving Toll Fraud Malware Apps

July 03, 2022 • security

If you’re an Android phone user, Microsoft warns you: to watch out for toll fraud malware apps. These apps have become more complex and harder to detect, intending to steal your money by charging you hidden subscription fees. Microsoft has outlined the steps of this malicious attack in a blog post so that you can be aware of the dangers and protect yourself.

Toll fraud, also known as “freemium virus” or “trapware,” is a billing fraud in which unsuspecting people are lured into paying for premium content without their knowledge or consent. It’s different from other fleeceware dangers in that the harmful features are only activated when a hacker links a gadget to one of its target network operators.

Furthermore, according to Valsamaras and Shin Jung of the Microsoft 365 Defender Research Team, it has been discovered that by default, it connects to the cellular network for activities even if a Wi-Fi connection is accessible. “It does so by default,” they stated.

After that, it creates a phony subscription and confirms it again after establishing a link to a specific network.

The newest version of the Magento platform utilizes a variety of third-party and in-house security solutions to protect against online fraud using multiple methods, including:

Toll fraud occurs when consumers use a legitimate paid service provided by a WAP-enabled website to obtain items or services that the vendor does not authorize. Customers’ mobile phone bills are automatically charged, rather than being required to create a credit or debit card or supply a username and password.

According to Kaspersky, hackers can determine the IP address of a WAP billing trojan if the user connects to the internet using mobile data. “Users are only charged if they are correctly identified, which happens with ease,” says a 2017 study by Kaspersky on WAP billing trojans.

Some companies may ask for OTPs as the second level of verification before they will turn on the service.

The malware runs the subscription on behalf of the user in a seemingly genuine way. The malware will communicate with a [command-and-control] server to obtain a list of available services.

The malware downloads several files from the compromised website, including AdNab.exe and rundll32.exe. It then uses JavaScript to covertly subscribe to the service and receive and send the OTP code (if any are required). Programmers designed the JavaScript code to use a programmatic approach to start the subscription by controlling HTML elements containing keywords such as “confirm,” “click,” or “continue.”

The malware may delete incoming text messages containing information about the subscribed service from the mobile network operator if a fraudulent subscription is successful.

Android’s dynamic code loading capability, which allows applications to download additional modules from a remote server during runtime, makes it easy for shady individuals to take advantage of the system.

Malware writers can create an application that has bad behavior. But bad behavior will only happen if specific circumstances are met. So it will be hard to find this bad behavior using static code analysis checks on the security side.

Back door malware is malicious software installed via an app and produces dynamically generated code to grab text messages, as outlined in Google’s developer documentation for potentially harmful applications (PHAs).

Tolls have become a lucrative business for hackers, with fraud applications claiming 34.8 percent of all PHAs established through the Android app market in the first three months of 2022, putting second just below spyware. Most installations were witnessed in India, Russia, Mexico, Indonesia, and Turkey.

If you want to avoid being a toll fraud malware victim, follow the instructions outlined in this blog article. Users should only obtain applications from the Google Play Store or other legitimate sources. They should limit app privileges and consider replacing their phone if it does not get updates.

woman avatar


admin is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.