Billing fraud apps can disable Android Wi-Fi and intercept text messages
Expand
Aurich Lawson
Android malware developers are stepping up their billing fraud game with apps that disable Wi-Fi connections, surreptitiously subscribe users to expensive wireless services, and intercept text messages, all in an effort to collect high charges from unsuspecting users, Microsoft said on Friday.
This class of threats has been a part of life on the Android platform for years, as evidenced by a malware family known as the Joker, which has infected millions of phones since 2016. Despite awareness of the problem, little attention was given to techniques. used by this "toll fraud" malware. Enter Microsoft, which has released an in-depth technical dive into the matter.The charging mechanism abused in this type of fraud is WAP, short for Wireless Application Protocol, which provides a way to access information via a mobile network. Cell phone users can subscribe to these services by visiting a service provider's web page while their devices are connected to cellular service and clicking a button. In some cases, the operator will respond by sending a one-time password (OTP) to the phone and asking the user to resend it in order to verify the subscription request. The process looks like this:
Enlarge
Microsoft
The goal of malicious applications is to automatically subscribe infected phones to these WAP services, without notice or consent from the owner. Microsoft said the malicious Android apps its researchers analyzed achieve this goal by following these steps:
Disable Wi-Fi connection or wait for user to switch to mobile network Silently go to the subscription page Automatically click the subscribe button Intercept OTP (if applicable) Send OTP to service provider (if applicable) Cancel SMS notifications (if available)Malware developers have several ways to force a phone to use a cellular connection even when connected to Wi-Fi. On devices running Android 9 or earlier, developers can call the setWifiEnabled method of the WifiManager class. For versions 10 and above, developers can use the requestNetwork function of the ConnectivityManager class. Eventually, phones will load data exclusively over the cellular network, as shown in this image:
Microsoft
Once a phone uses the cellular network for data transmission, the malicious app surreptitiously opens a browser in the background, navigates to the WAP subscription page, and clicks a subscription button. Subscription confirmation can be tricky because confirmation prompts can come from SMS, HTTP, or USSD protocols. Microsoft offers specific methods that malware developers can use to bypass each type of confirmation. Microsoft's message then goes on to explain how the malware suppresses periodic messages that the subscription service may send to the user to remind them of their subscription.
"By subscribing users to premium services, this malware can cause victims to receive significant mobile billing charges," the Microsoft researchers wrote. "Affected devices also pose an increased risk as this threat manages...
Expand
Aurich Lawson
Android malware developers are stepping up their billing fraud game with apps that disable Wi-Fi connections, surreptitiously subscribe users to expensive wireless services, and intercept text messages, all in an effort to collect high charges from unsuspecting users, Microsoft said on Friday.
This class of threats has been a part of life on the Android platform for years, as evidenced by a malware family known as the Joker, which has infected millions of phones since 2016. Despite awareness of the problem, little attention was given to techniques. used by this "toll fraud" malware. Enter Microsoft, which has released an in-depth technical dive into the matter.The charging mechanism abused in this type of fraud is WAP, short for Wireless Application Protocol, which provides a way to access information via a mobile network. Cell phone users can subscribe to these services by visiting a service provider's web page while their devices are connected to cellular service and clicking a button. In some cases, the operator will respond by sending a one-time password (OTP) to the phone and asking the user to resend it in order to verify the subscription request. The process looks like this:
Enlarge
Microsoft
The goal of malicious applications is to automatically subscribe infected phones to these WAP services, without notice or consent from the owner. Microsoft said the malicious Android apps its researchers analyzed achieve this goal by following these steps:
Disable Wi-Fi connection or wait for user to switch to mobile network Silently go to the subscription page Automatically click the subscribe button Intercept OTP (if applicable) Send OTP to service provider (if applicable) Cancel SMS notifications (if available)Malware developers have several ways to force a phone to use a cellular connection even when connected to Wi-Fi. On devices running Android 9 or earlier, developers can call the setWifiEnabled method of the WifiManager class. For versions 10 and above, developers can use the requestNetwork function of the ConnectivityManager class. Eventually, phones will load data exclusively over the cellular network, as shown in this image:
Microsoft
Once a phone uses the cellular network for data transmission, the malicious app surreptitiously opens a browser in the background, navigates to the WAP subscription page, and clicks a subscription button. Subscription confirmation can be tricky because confirmation prompts can come from SMS, HTTP, or USSD protocols. Microsoft offers specific methods that malware developers can use to bypass each type of confirmation. Microsoft's message then goes on to explain how the malware suppresses periodic messages that the subscription service may send to the user to remind them of their subscription.
"By subscribing users to premium services, this malware can cause victims to receive significant mobile billing charges," the Microsoft researchers wrote. "Affected devices also pose an increased risk as this threat manages...
What's Your Reaction?
