Microsoft Warns Of Toll Fraud Malware Scamming Android Users And Draining Wallets

microsoft wanrs toll fraud malware android news
Last month, we wrote about malicious Android apps containing a trojan that researchers have dubbed “SMSFactory.” This bit of malware exists to infect Android phones and conduct SMS billing fraud. SMSFactory uses SMS and phone permissions to regularly send premium text messages and make calls to premium numbers. Premium calls and texts add fees to phone bills, which customers have to pay at the end of their billing cycles. The victims of this kind of fraud end up paying more expensive phone bills, and the extra money is directed to the cybercriminals who own and operate the premium phone numbers.

SMSFactory isn’t the only malware that conducts this kind of fraud. SMSFactory has so far been found in malicious apps that must be side-loaded onto Android phones. However, bad actors have managed to sneak malicious apps bearing the Joker malware family into the Google Play Store time and time again since its first appearance in 2017. Among other malicious activities, Joker subscribes its victims to paid services via SMS.

microsoft wanrs toll fraud malware android billing process news
The Wireless Application Protocol billing process (source: Microsoft)

After years of Joker and other malware families afflicting Android users with expensive phone bills, Microsoft has published a lengthy and detailed breakdown of how these sorts of malware commit billing fraud. Malicious billing fraud of the kind conducted by SMSFactory and Joker relies on the Wireless Application Protocol (WAP). The WAP billing process has a one time password (OTP) safeguard to ensure that phone users mean to subscribe to premium services. However, this safeguard isn’t always present, and, even when it is, malware developers have figured out how to get around it.

According to Microsoft, the malware attack chain usually begins with the malware either disabling the Wi-Fi connection or waiting for the user to switch from Wi-Fi to mobile data. Once the infected phone is connected to a mobile network, the malware navigates to a premium service subscription page, and injects javascript into the page that clicks the subscription button. If the WAP OTP safeguard applies, then the malware intercepts the OTP that’s sent over text, sends the OTP to the service provider, and finishes by canceling the SMS notifications that might alert the victim to the unauthorized premium subscription.

This automated subscription process is a pretty devilish way to commit fraud, but Microsoft has some suggestions for avoiding the malware that carries out this fraud. The company’s 365 Defender Research Team recommends that users stick to installing apps from the Google Play Store or other trusted sources and avoid giving apps SMS permissions, notification listener access, or accessibility access without understanding why the apps need these permissions. The team also suggests using a trusted anti-virus solution and retiring phones that are no longer receiving updates.