Microsoft has provided an in-depth analysis of the developing capabilities of toll fraud malware apps for Android, highlighting their "complex multi-step attack flow" as well as an improved mechanism to avoid detection by security systems.
For example, malicious mobile applications may include hidden subscription fees, which entice unsuspecting users to pay for premium content without their permission or knowledge.
The malicious functions are only carried out when a compromised device is connected to one of its target network operators, which distinguishes it from other forms of fleeceware threats.
"It also uses the cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available," Dimitrios Valamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team said in an exhaustive analysis of the malware's behavior. "It also uses cellular connection by default for its activities and forces devices to connect to the mobile network."
"Once the connection to a target network is confirmed, it covertly initiates a fraudulent subscription and confirms it without the user's consent, in some cases even intercepting the one-time password (OTP) in order to do so," it says. "This is done in order to steal money from the user."
These apps are also known to suppress SMS notifications related to the subscription in order to prevent the victims from becoming aware of the fraudulent transaction and unsubscribing from the service. This is done to prevent the app from being removed from the device.
Toll fraud, at its core, involves taking advantage of a payment method that permits customers to subscribe to paid services through websites that support the Wireless Application Protocol (WAP). It is not necessary for users to set up a credit card or debit card or enter a username and password because the subscription fee is automatically deducted from their mobile phone bills.
According to a statement made by Kaspersky in a report that was published in 2017 about WAP billing trojan clickers, "If the user connects to the internet through mobile data, the mobile network operator can identify him/her by IP address." "Users of mobile networks are only charged by operators for their services if they can be positively identified,"
Before activating the service, some providers also have the option to demand one-time passwords (OTPs) from customers as a second layer of confirmation of their subscription.
According to the findings of the researchers, "in the case of toll fraud, the malware performs the subscription on behalf of the user in such a way that the overall process is not perceivable." "The malicious software will communicate with a [command-and-control] server in order to retrieve a list of services that are available."
It accomplishes this by initially turning off Wi-Fi and then turning on mobile data. Next, it uses JavaScript to covertly subscribe to the service, and finally, it intercepts and sends the OTP code (if applicable) to finish the process.
The JavaScript code, on the other hand, is intended to click on HTML elements that contain keywords like "confirm," "click," and "continue" in order to automatically begin the subscription. This is done through programmatic means.
In the event that a fraudulent subscription is successfully completed, the malware either hides the subscription notification messages or abuses its SMS permissions in order to delete incoming SMS messages from the mobile network operator that contain information about the service to which the user has subscribed.
Toll fraud malware is also known to conceal its malicious behavior by utilizing dynamic code loading. This is a feature in Android that enables applications to pull additional modules from a remote server during runtime. Since this feature is so open to abuse by malicious actors, it is a prime target for toll fraud malware.
This also implies, from a security point of view, that an author of malware is able to fashion an application in such a way that the malicious functionality is only loaded if certain prerequisites are satisfied, thereby circumventing the checks performed by static code analysis.
About potentially harmful applications, Google lays out in its developer documentation that "if an app allows dynamic code loading and the dynamically loaded code is extracting text messages, it will be classified as a backdoor malware" (PHAs).
Toll fraud applications, which had an install rate of 0.022 percent in the first quarter of 2022, accounted for 34.8 percent of all PHAs that were downloaded from the Android app marketplace. This placed them in a position below spyware. The majority of the installations were sourced from Turkey, Russia, Mexico, India, and Indonesia respectively.
It is recommended that users only install applications from the Google Play Store or other trusted sources, avoid granting excessive permissions to apps, and consider upgrading to a new device should their current one stop receiving software updates in order to reduce the risk of being infected by malware that commits toll fraud.
Post a Comment
Your suggestions and comments are welcome