Android malware developers are stepping up their billing fraud game with apps that disable Wi-Fi connections, stealthily subscribe users to expensive wireless services, and intercept text messages to collect hefty fees from unsuspecting users, Microsoft said Friday.
This class of threats has been a fact on the Android platform for years, as exemplified by a malware family called Joker that has infected millions of phones since 2016. Despite awareness of the issue, little attention has been paid to the techniques that such ‘toll fraud’ malware uses. Enter Microsoft who published one
technical deep dive on the topic.
The billing mechanism abused in this type of scam is WAP, short for Wireless Application Protocol, which allows access to information over a mobile network. Mobile phone users can subscribe to such services by visiting a service provider’s website while their devices are connected to the cellular service and then clicking a button. In some cases, the carrier responds by texting a one-time password (OTP) to the phone and asking the user to send it back to verify the subscription request. The process looks like this:
The aim of the malicious apps is to automatically subscribe infected phones to these WAP services without the owner’s notification or consent. Microsoft said that rogue Android apps its researchers analyzed achieve this goal by following these steps:
- Turn off the Wi-Fi connection or wait for the user to switch to a cellular network
- Silently navigate to the subscription page
- Automatically click the subscribe button
- Intercept OTP (if applicable)
- Send the OTP to the service provider (if applicable)
- Cancel SMS notifications (if applicable)
Malware authors have several ways of forcing a phone to use a cellular connection, even when connected to Wi-Fi. On devices running Android 9 or earlier, developers can access the
setWifiEnabled method of
WifiManager Class. Starting with version 10, developers can use the
requestNetwork function of
ConnectivityManager Class. Eventually, phones will only load data over the cellular network, as shown in this image:
Once a phone uses the cellular network for data transfer, the malicious app secretly opens a browser in the background, navigates to the WAP subscription page and clicks a subscribe button. Confirming subscription can be difficult as confirmation prompts can come from SMS, HTTP or USSD protocols. Microsoft defines specific methods that malware authors can use to bypass each type of confirmation. The Microsoft post then goes on to explain how the malware suppresses periodic messages that the subscription service can send to the user to remind them of their subscription.
“By allowing users to subscribe to premium services, this malware can cause victims to pay significant fees for cell phone bills,” Microsoft researchers write.
Google actively bans apps from its Play market when it detects signs of fraud or malicious activity, or when it receives reports of malicious third-party apps. While Google often removes malicious apps only after they have infected millions of users, apps downloaded from Play are generally considered more trustworthy than apps from third-party markets.
This article was previously published on Source link