According to a new blog post from Microsoft Security, Android users are now being attacked by a toll fraud malware that purchases premium subscription services without their knowledge. In a recent report, two senior researchers from Microsoft – Sang Shin Jung and Dimitrios Valsamaras – explained how this malware evolution attacks Android devices unwittingly.

According to their analysis, a toll fraud malware falls under billing fraud and can cause thousands of dollars in damage to the user. It infects the device through malicious apps and ends up subscribing the owner of said device to paid, premium services without their consent. They say it’s one of the most common types of malwares for Android mobiles. 

These toll fraud malwares work over WAP (Wireless Application Protocol). WAP networks allow users to subscribe to content without asking for a credit card. Instead, it will add the charge to their phone bill. This type of attack relies heavily on mobile networks in order to function. So, the malware will disconnect the users’ phone from a Wi-Fi connection to force it onto the cellular network. 

After doing so, the malware will subscribe to premium services and hide the OTP (one-time passwords) those services usually send in order to verify the users’ identity. That way, it keeps the victims unaware of what is going on and they won’t unsubscribe to these services. 

This new toll fraud malware is an evolved version of the dial-up days, and presents users with an expensive threat, according to experts. That is because it might lead to a significant charge on mobile bills. Not only that, but the affected phones pose an increased risk since the malware is able to bypass detection. Therefore, it can get to a large number of subscriptions before one single variant can be found and removed. 

This kind of malware attack happens when a user downloads a fake app in the Google Play store. Malwares like these are known as “trojans”, and they usually disguise themselves as popular apps within popular categories. The most common subcategories where you can find fake applications are personalization. Image editors, photo apps and messaging apps are also very common.

According to researchers, the first thing that should tip you off as to the legitimacy of the app is that the fake ones ask for permissions that don’t align with the kind of service they provide. For instance, why would a personalization app ask for access to your SMS?

The goal with these malicious apps is to get as many downloads as possible by unaware users. Both Microsoft researchers were able to identify some common patterns. They explain how cybercriminals keep the malicious app functioning on Google’s Play Store. First, they upload a clean version and wait until the app gets a high number of downloads. Then, they update the app and load the toll fraud malware. By separating the infected flow from the clean version, they’re able to remain undetected for a long period of time. 

According to both Microsoft researchers, these kinds of malicious apps have a few characteristics in common that users should be on the lookout for. One is that they will ask for permissions that don’t make sense. Users need to pay attention before downloading an app to see if there are others by the same name or similar icons. It’s also good to check for poor grammar and bad reviews before downloading anything. 

In case you’ve already downloaded an application infected with a toll fraud malware, your device will begin to show some signs of it. Some of it include connectivity issues, constant overheating and fast battery drain. 

Did you know that there are ways to find out if someone is using your Google or Netflix account? Check the link below for more details!