Toll fraud software is one of the most common problems on Android, and Microsoft is warning that it is growing with capabilities that allow automated membership to premium services.
A subcategory of billing fraud called toll fraud involves tricking victims into calling or sending SMS messages to a premium number.
The distinction is that Wi-Fi is ineffective against toll fraud, which forces the devices to connect to the cell operator’s network.
Overview of toll fraud
In a paper released today, Microsoft provides technical information on how Android users can protect themselves from toll fraud software.
The Wireless Application Protocol (WAP), which enables customers to subscribe to premium content and add the fee to their phone bill, is how toll fraud operates.
The customer must click a subscription button in order to connect over the mobile network. Some services ask users to confirm their selection by sending a one-time password (OTP).
The fraudulent subscription is started, the OTPs are intercepted, and warnings that would alert the victim are suppressed by malware that facilitates toll fraud.
Microsoft has discovered many steps in the process that frequently take place without the users being aware of them:
- Turn off the Wi-Fi or watch for the user to migrate to a mobile network
- Go to the subscription page covertly
- the subscribe button automatically
- thwart the OTP (if applicable)
- To the service provider, send the OTP (if applicable)
- Stop receiving SMS notifications (if applicable)
removing the Wi-Fi connection
The malware begins by gathering information on the subscriber’s nation and mobile network, for which Android does not need the user’s consent.
Disabling the Wi-Fi connection and forcing the device to use the operator’s network is an important step. This is doable on Android 9 (API level 28) or before with a standard protection permission level.
The’requestNetwork’ function, which is covered by the CHANGE NETWORK STATE permission and has a normal protection level, is available for higher API levels.
Microsoft demonstrated this with a piece of the Joker malware, which has continuously crept into Google’s Play Store for more than five years.
The malware that commits toll fraud then makes advantage of “NetworkCallbak” to track network activity and obtain the “networktype” variable to tie the process to a particular network, compelling the device to forgo a WiFi connection in favor of one provided by the mobile operator.
The user can only get around this by manually turning off mobile data.
The malware then attempts to automatically subscribe to a list of websites that offer premium services if the victim’s mobile carrier is one of the targets.
A user often clicks on an HTML element and subsequently sends a verification code to the server, however there are other subscription possibilities as well.
“In order for the malware to carry out this action automatically, it keeps track of how quickly the website is loading and injects JavaScript code that is intended to click HTML elements that start the subscription. Because a user may only subscribe to a service once, the code additionally uses a cookie to designate the HTML page to prevent double subscriptions. A: Microsoft
Microsoft warns that extra verification may occasionally be needed. The company’s analysis of toll fraud malware samples revealed techniques for doing that as well.
Some carriers only complete the subscription after confirming that the customer allowed it by sending an OTP code through SMS, HTTP, or USSD (Unstructured Supplementary Service Data), the first two of which are the most common.
It’s fairly unusual for Android malware to steal SMS data, and when collecting messages sent through the HTML protocol, the code needs to be processed to look for strings that represent a verification token.
The threat actor is free to finalize the subscription to the chosen premium service once they have the authorisation code.
This is insufficient, though, as victims might receive subscription-related notifications; therefore, they must be blocked.
Since API level 18, a NotificationListenerService-extended application is permitted to suppress notifications generated by other applications. A: Microsoft
In order to disable SMS messages from other programs, malware developers can take use of a subset of three API calls:
Using the function cancelAllNotifications(), you can instruct the notification management to cancel all notifications.
Notification(String key) to request the cancellation of a single notification from the notification manager
Alerts(String [] keys) to request that several notifications be dismissed at once by the notification manager
The creators of toll fraud virus often include features that make the harmful activity as covert as feasible. If the mobile network of the infected device is not on the list, one method is to keep the infection dormant.
Another approach is to employ dynamic code loading, which only permits some code to load under particular circumstances. This makes it more challenging to detect the infection, particularly when using static analysis.
The key to preventing toll fraud malware from infecting your smartphone is to ensure that the source you use to get your Android app is reliable, like Google’s Play Store.
Additionally, it’s a good idea to review the permissions required during installation if you want to protect your privacy and lessen the likelihood that malware will take over your device.
Microsoft also advises users to refrain from giving apps access to SMS, alerts, or accessibility unless these rights are absolutely necessary for proper operation.
