Microsoft warns of dangers of toll fraud malware on Android devices

Android users are being attacked by malware that unknowingly buys premium subscription services that they didn’t want or didn’t sign up for, according to a Microsoft Security blog

In a report by Microsoft researchers Dimitrios Valsamaras and Sang Shin Jung, the pair details the ongoing evolution of “toll fraud malware” and the ways it attacks Android users and their devices. According to the team, toll fraud malware falls under the subcategory of billing fraud “where malicious applications enroll users in premium services without their knowledge or consent” and “is one of the most common forms of Android malware”.

Toll fraud works through the Wireless Application Protocol (WAP), which allows consumers to subscribe to paid content and add the charges to their phone bill. Since this attack relies on a cellular network to do the dirty business, the malware can disconnect you from Wi-Fi or otherwise force you into your cellular network. As you connect to the mobile network, the malware starts subscribing to premium services while also hiding one-time passwords (OTP) that are sent to verify your identity. This is to keep targets in the dark so they don’t opt ​​out.

The evolution of toll fraud malware from its dial-in days poses a dangerous threat, researchers warn. The malware can lead to victims receiving significant mobile billing charges. Additionally, affected devices are also at increased risk as the malware can evade detection and reach a large number of installations before removing a single variant.

How does this malware even get on my device?

This type of attack starts when a user downloads the app whose malware is disguised as in the Google Play Store. These trojan apps are usually listed in popular categories in the app store such as personalization (background and lock screen apps), beauty, editor, communication (messaging and chat apps), photography, and tools (such as cleaner and fake antivirus apps). apps). The researchers say these apps will ask for permissions that are incorrect for what is being done (ie a camera or wallpaper app that asks for SMS or notification listening permissions).

The purpose of these apps is to be downloaded by as many people as possible. Valsamaras and Shin Jung have identified some common ways attackers try to keep their app in the Google Play Store:

  1. Upload clean versions until the application gets a sufficient number of installs.

  2. Update the application to dynamically load malicious code.

  3. Separate the malicious stream from the uploaded application to go undetected for as long as possible.

What can I do to protect myself against malware?

Valsamaras and Shin Jung say that potential malware in the Google Play Store has common features to look for before downloading an app. As mentioned above, some apps ask for excessive permissions for programs that don’t need such permissions. Other features to look out for include apps with similar user interfaces or icons, developer profiles that look fake or have bad grammar, and whether the app has a slew of bad reviews.

If you think you’ve already downloaded a potential malware app, some common symptoms include rapid battery drain, connectivity issues, constant overheating, or the device is running much slower than usual.

The pair also warned against sideloading apps that you can’t officially get on the Google Play Store, as doing so could increase the risk of infection. Their findings showed that toll fraud malware accounted for 34.8% of the Google Play Store’s “Potentially Harmful Application” (PHA) installed, second only to spyware in the first quarter of 2022.

According to a transparency report from Googleit says that most of the installations are from India, Russia, Mexico, Indonesia and Turkey.


#Microsoft #warns #dangers #toll #fraud #malware #Android #devices

Leave a Comment

Your email address will not be published.