Toll Fraud Malware Warnings on Android Device issued by Microsoft

Microsoft has described the evolving powers of Android toll fraud malware apps, highlighting their “complex multi-step attack flow” and better security analysis evasion technique.

Toll fraud is a type of billing fraud in which deceptive mobile applications lure unsuspecting users into paying for premium content without their awareness or permission. It’s also different from other fleeceware threats in that the malicious functions are only carried out when a compromised device is connected to one of its target network operators.

Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware – and it continues to evolve.

Compared to other subcategories of billing fraud, which include SMS fraud and call fraud, toll fraud has unique behaviors. Whereas SMS fraud or call fraud use a simple attack flow to send messages or calls to a premium number, toll fraud has a complex multi-step attack flow that malware developers continue to improve.

How does the Attack Work?

Furthermore, it compels devices to connect to the mobile network even when a Wi-Fi connection is available, according to a thorough analysis by Dimitrios Valsamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team.

Once the target network connection is established, the malware covertly starts a fraudulent subscription and confirms it without the user’s knowledge. In some instances, it even uses the one-time password (OTP) to do this.

Such apps are also known to block SMS alerts related to the subscription in order to stop the victims from learning about the fraudulent transaction and canceling their membership in the service.

Toll fraud primarily makes use of the payment technique that lets users pay for services on websites that accept the Wireless Application Protocol. (WAP). The users’ mobile phone bills are immediately charged with the subscription fee, eliminating the need to set up a credit or debit card or enter a username and password.

In a 2017 report about WAP billing trojan clickers, we observed that “if the user connects to the internet through mobile data, the mobile network operator can identify him/her by IP address.” Users are only charged by mobile network operators when they are properly identified. Before activating the service, some providers may also request OTPs as an additional step of subscription confirmation.

Fraudulent subscriptions via toll fraud

We classify a subscription as fraudulent when it takes place without a user’s consent. In the case of toll fraud, the malware performs the subscription on behalf of the user in a way that the overall process isn’t perceivable through the following steps:

  1. Disable the Wi-Fi connection or wait for the user to switch to a mobile network
  2. Silently navigate to the subscription page
  3. Auto-click the subscription button
  4. Intercept the OTP (if applicable)
  5. Send the OTP to the service provider (if applicable)
  6. Cancel the SMS notifications (if applicable)

According to the researchers, “in the case of toll fraud, the malware performs the subscription on the user’s behalf in a way that the overall process isn’t perceptible.” To obtain a catalog of available services, the malware will “communicate with a [command-and-control] server.”

This is done by first turning off Wi-Fi and turning on mobile data, then secretly subscribing to the service using JavaScript, and finally intercepting and sending the OTP code (if necessary) to finish the process. In order to start the subscription programmatically, the JavaScript code is made to click on HTML components that have the keywords “confirm,” “click,” and “continue.” When a fraudulent subscription is successful, the malware either hides the subscription notification messages or abuses its SMS permissions to delete incoming text messages from the mobile network provider that contain information about the subscribed service.

Toll fraud malware is also known to cloak its malicious behavior by means of dynamic code loading, a feature in Android that allows apps to pull additional modules from a remote server during runtime, making it ripe for abuse by malicious actors.

Get Legit Cash App Money Transfer  Now

What you can achieve with our Cashapp transfer service is unlimited unless you don’t know how to do business or probably spend money.

WHAT DETAILS DO WE NEED FROM YOU TO COMPLETE TRANSACTION?

  • Cashtag $name
  • Cashapp Email
  • Cashapp Account Holder’s Full Name (To help us send with description to the holder)
  • Let us know of any specific instructions you will want us to add to your transfer, but if there are none then we will handle it

From a security standpoint, this also means that a malware author can fashion an app such that the rogue functionality is only loaded when certain prerequisites are met, effectively defeating static code analysis checks.

Google states in its developer documentation about potentially harmful apps that “if an app allows dynamic code loading and the dynamically loaded code is extracting text messages, it will be classified as a backdoor malware.” (PHAs).

Toll fraud apps made up 34.8% of all PHAs downloaded from the Android app store in the first quarter of 2022, placing second only to spyware in terms of install rate (0.022%). The majority of the deployments came from Turkey, Mexico, India, Russia, and Indonesia.

Limiting the Risk of toll fraud Malware

Toll fraud is one of the most common malware categories with high financial loss as its main impact. Due to its sophisticated cloaking techniques, prevention from the side of the user plays a key role in keeping the device secure. A rule of thumb is to avoid installing Android applications from untrusted sources (sideloading) and always follow up with device updates. We also recommend end users take the following steps to protect themselves from toll fraud malware:

  • Install applications only from the Google Play Store or other trusted sources.
  • Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it. These are powerful permissions that are not commonly needed.
  • Use a solution such as Microsoft Defender for Endpoint on Android to detect malicious applications.
  • If a device is no longer receiving updates, strongly consider replacing it with a new device.

Users should only download apps from the Google Play Store or other reliable sources to reduce the risk of toll fraud malware, avoid giving apps too many permissions, and think about switching to a new device if their current one stops getting software updates.

Conclusion

Since families like Joker and their variants first appeared in 2017, toll fraud has become one of the most common kinds of Android malware in the Google Play Store. Second only to spyware, it accounted for 34.8% of loaded Potentially Harmful Applications (PHA) from the Google Play Store in the first quarter of 2022.

This malware can result in substantial mobile bill charges for victims by tricking them into subscribing to premium services. Affected devices are at higher risk as a result of the threat’s ability to avoid discovery and the volume of installations it can make before any one variant is eliminated.

Through this blog, we hope to educate readers about the specifics of this danger and the measures that they can take against toll fraud malware. Additionally, we want to show security analysts how to spot other malicious apps that make use of these methods.

Our thorough examination of this threat and its ongoing evolution helps us to better understand how to protect users with products like Microsoft Defender for Endpoint on Android.

Click Here to Get Legit Cash App Money Transfer

 

Get $500 Cashapp Get $750 Cashapp | Get $1k Cashapp | Get $2k Cashapp Get $5k Cashapp  | Get $4k CAshapp 

cashapp flip legit store

Leave a Comment

Your email address will not be published. Required fields are marked *