Microsoft warns of potential threat of phone fraud malware on Android devices

According to a Microsoft Security blog, Android users are being attacked by malware that unwittingly buys premium subscription services they didn’t want or signed up for.

In a report by Microsoft researchers Dimitrios Valsamaras and Sang Shin Jung, the pair detailed the continued evolution of “phone fraud malware” and how it attacks Android users and their devices. According to the team, phone fraud malware falls under the billing fraud subcategory “in which malicious apps sign up users for premium services without their knowledge or consent” and “is one of the most prevalent types of Android malware”.

Toll Fraud operates on the Wireless Application Protocol (WAP), which allows consumers to subscribe to paid content and have the charge added to their phone bill. Since this attack relies on a cellular network to do the dirty work, the malware can disconnect you from Wi-Fi or use other means to force you into your cellular network. Upon connecting to the cellular network, the malware will start subscribing to premium services while hiding one-time passwords (OTPs) sent to verify your identity. It’s about keeping targets in the dark so they don’t unsubscribe.

The evolution of phone fraud malware since the days of dial-up access presents a dangerous threat, researchers warn. The malware can cause victims to receive large mobile billing charges. Additionally, affected devices also pose an increased risk as the malware is able to evade detection and can reach a high number of installations before a single variant can be removed.

How does this malware even end up on my device in the first place?

This type of attack starts when a user downloads the app that the malware disguises as the Google Play Store. These trojan apps will usually be listed in popular app store categories such as personalization (wallpaper and lock screen apps), beauty, editor, communication (messaging apps and chat), photography, and tools (like cleaner and fake antivirus apps). The researchers say these apps will ask for permissions that don’t make sense for what is being done (i.e. a camera or wallpaper app asking for SMS listening privileges or notification).

The goal of these applications is to be downloaded by as many people as possible. Valsamaras and Shin Jung identified common ways attackers try to keep their app on the Google Play Store:

  1. Download clean builds until the app gets enough installs.

  2. Update the application to dynamically load malicious code.

  3. Separate the malicious stream from the downloaded application to remain undetectable as long as possible.

What can I do to protect myself against malware?

Valsamaras and Shin Jung say potential malware in the Google Play Store has common characteristics that one can look for before downloading an app. As stated above, some apps will request excessive permissions for programs that do not require such privileges. Other characteristics to look out for are apps with similar user interfaces or icons, developer profiles that look fake or have bad grammar, and whether the app has a slew of bad reviews.

If you think you have already downloaded a potential rogue app, some common signs include rapid battery drain, connectivity issues, constant overheating, or the device running much slower than normal.

The pair also warned against downloading apps that you cannot officially get from the Google Play Store, as this can increase the risk of infection. Their findings showed that phone fraud malware accounted for 34.8% of “potentially harmful apps” (PHAs) installed on the Google Play Store in Q1 2022, second only to spyware.

According to a Google Transparency Report, it says most installs came from India, Russia, Mexico, Indonesia, and Turkey.

Leave a Reply

Your email address will not be published.