Android devices are currently at risk of being targeted by toll fraud malware, which allows the threat operators to disable a user’s WiFi access to force them into subscribing to premium services. Reports say this malware does not work over WiFi connections, thus shifting the device to connect the internet to its mobile operator’s network.
Microsoft recently detailed the toll fraud malware’s capabilities and shared recommendations on how Android users could prevent it from infecting their devices.
According to the analysis, toll fraud works over WAP or Wireless Application Protocol, pushing users to subscribe to premium offers or paid content that would charge them on their periodic phone bills.
The malware that aids the fraud tactic in this campaign would not require user interaction to subscribe to the premium services and does everything automatically, including initiating a fraudulent subscription, bypassing OTPs, and hiding alert notifications from the victims.
Once inside an Android device, the malware will collect data about the user’s country and mobile carrier. Afterwards, it will deactivate the user’s WiFi connection and transfer the connectivity to the user’s network, achieved through Android devices with an API level 28 or lower that has a normal permission level. Threat actors will refer to the ‘requestNetwork’ function under the CHANGE_NETWORK_STATE permission if an Android device has a higher API level.
In transferring the device’s connectivity from WiFi to a network operator, the toll fraud malware would utilise the ‘NetworkCallback’ interface, which binds the process to a targeted network and turns off the WiFi connection. Microsoft highlighted that users must manually disable mobile data connections to disrupt malware from proceeding with the process.
Nonetheless, the toll fraud malware would then collect a list of sites that provide paid content or premium offers and attempt to subscribe the users to them. Since there are various ways for a user to subscribe to a premium service, the malware would do the process automatically by injecting JavaScript code into HTML that could initiate the subscription.
Finally, in obtaining the verification code that would complete the subscription, the threat actors would steal SMS data from the HTML protocol. However, the malware would still need to suppress the OTP alert from the victim’s notification, which is done by abusing three subsets of API calls that allow them to silence SMS notifications usually triggered from apps.
Spotting the malware could be challenging since its operators implement engineered mechanisms to obfuscate it, including dynamic code loading that only allows specific codes to load when a particular condition is met.
Users are advised to ensure that the applications they install on their phone come from an official store, such as Google Play. It is also vital to check the permissions granted after every installation to minimise the risk of malware infection. Lastly, users can also remove the permissions on applications to read or send SMS and access notifications, especially if these permissions are unnecessary for the specific app they have downloaded.