Microsoft detailed the evolving capabilities of toll fraud malware apps on Android, pointing out the “complex, multi-step attack stream” and an improved mechanism to bypass security analytics.
Toll fraud belongs to a category of billing fraud where malicious mobile applications come with hidden subscription fees, tricking unsuspecting users into premium content without their knowledge or consent.
It also differs from other fleeceware threats in that the malicious functions are only executed when a compromised device is connected to one of the target network operators.
“It also uses a cellular connection for its operations by default, forcing devices to connect to the cellular network even when a Wi-Fi connection is available,” said Dimitrios Valsamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team. said in a comprehensive analysis.
“Once the connection to a target network is confirmed, it secretly initiates a fraudulent subscription and confirms without the user’s consent, in some cases even the one-time password (OTP) to do so.”
Such apps are also known to suppress subscription SMS notifications to prevent victims from becoming aware of the fraudulent transaction and opting out of the service.
At its core, toll fraud uses the payment method that allows consumers to subscribe to paid services from websites that support the Wireless Application Protocol (WAP). These subscription fees are charged directly to users’ mobile phone bills, eliminating the need to set up a credit or debit card or enter a username and password.
“If the user connects to the Internet via mobile data, the mobile network operator can identify him/her by the IP address,” Kaspersky noted in a statement. 2017 report about WAP billing trojan clickers. “Mobile network operators will only charge users if they have been successfully identified.”
Optionally, some providers may also require OTPs as a second layer of confirmation of the subscription before activating the service.
“In the case of toll fraud, the malware executes the subscription on behalf of the user in a way that the overall process is undetectable,” the researchers said. “The malware will communicate with a [command-and-control] server to retrieve a list of services offered.”
In a successful fraudulent subscription, the malware either hides the subscription notifications or misuses the SMS permissions to delete incoming SMS messages containing information about the subscribed service from the mobile network operator.
Toll fraud malware is also known to disguise its malicious behavior through dynamic code loading, a feature in Android that allows apps to fetch extra modules from a remote server at runtime, thus ripe for abuse by malicious actors.
From a security perspective, this also means that a malware author can design an app to load the rogue functionality only when certain conditions are met, effectively thwarting static code analysis checks.
“If an app allows dynamic loading of code and the dynamically loaded code extracts text messages, it is classified as backdoor malware,” Google says. explains in developer documentation about potentially harmful applications (PHAs).
With 0.022% install rate, toll fraud apps responsible for 34.8% of all PHAs installed through the Android app marketplace in the first quarter of 2022, a position lower than spyware. Most installations come from India, Russia, Mexico, Indonesia and Turkey.
To reduce the threat of toll fraud malware, it is recommended that users only install applications from the Google Play Store or other trusted sources, avoid granting excessive permissions to apps, and consider upgrading to a new device if it runs out of software updates receives.