Android malware developers are stepping up their billing fraud game with apps that disable Wi-Fi connections, surreptitiously subscribe users to pricey wireless services, and intercept text messages, all in a bid to collect hefty fees from unsuspecting users, Microsoft said on Friday.
This threat class has been a fact of life on the Android platform for years, as exemplified by a family of malware known as Joker, which has infected millions of phones since 2016. Despite awareness of the problem, little attention has been paid to the techniques that such “toll fraud” malware uses. Enter Microsoft, which has published a technical deep dive on the issue.
The billing mechanism abused in this type of fraud is WAP, short for wireless application protocol, which provides a means of accessing information over a mobile network. Mobile phone users can subscribe to such services by visiting a service provider’s web page while their devices are connected to cellular service, then clicking a button. In some cases, the carrier will respond by texting a one-time password (OTP) to the phone and requiring the user to send it back in order to verify the subscription request. The process looks like this:
The goal of the malicious apps is to subscribe infected phones to these WAP services automatically, without the notice or consent of the owner. Microsoft said that malicious Android apps its researchers have analyzed achieve this goal by following these steps:
- Disable the Wi-Fi connection or wait for the user to switch to a mobile network
- Silently navigate to the subscription page
- Auto-click the subscription button
- Intercept the OTP (if applicable)
- Send the OTP to the service provider (if applicable)
- Cancel the SMS notifications (if applicable)
Malware developers have various ways to force a phone to use a cellular connection even when it’s connected to Wi-Fi. On devices running Android 9 or earlier, the developers can invoke the setWifiEnabled
method of the WifiManager
class. For versions 10 and above, developers can use the requestNetwork
function of the ConnectivityManager
class. Eventually, phones will load data exclusively over the cellular network, as demonstrated in this image:
Once a phone uses the cellular network for data transmission, the malicious app surreptitiously opens a browser in the background, navigates to the WAP subscription page, and clicks a subscribe button. Confirming the subscription can be tricky because confirmation prompts can come by SMS, HTTP, or USSD protocols. Microsoft lays out specific methods that malware developers can use to bypass each type of confirmation. The Microsoft post then goes on to explain how the malware suppresses periodic messages that the subscription service may send the user to remind them of their subscription.
“By subscribing users to premium services, this malware can lead to victims receiving significant mobile bill charges,” Microsoft researchers wrote. “Affected devices also have increased risk because this threat manages to evade detection and can achieve a high number of installations before a single variant gets removed.”
Google actively bars apps from its Play market when it detects signs of fraud or malice, or when it receives reports of malicious apps from third parties. While Google often doesn’t remove malicious apps until after they have infected millions of users, apps downloaded from Play are generally regarded as more trustworthy than apps from third-party markets.