Android apps bypass WAP billing security measures, Microsoft analyses. These apps are the second biggest threat in the Play Store after spyware.
Microsoft’s Defender research team has discovered Android malware took a closer look, examining apps that commit toll fraud. Unlike SMS or call scams, these use WAP billing, i.e. they secretly subscribe to WAP sites, for which fees are collected from the phone bill.
Android malware with special features
In order to commit this type of fraud, the cybercriminals must, among other things, ensure that they are on the mobile network and intercept confirmation text messages that could otherwise provide potential victims with information about the unfair processes.
Moreover, the malicious code part is well hidden so as not to be noticed in the automatic (static) analyses. The malicious actors manage to do this again and again, so that almost 35 percent of the potentially malicious apps in the Google Play Store fall into this category, writes Microsoft. Spyware is the only category in first place.
In order to achieve these goals, the malware usually checks the phone location and network operator. It only becomes active with certain combinations of these. There are also differences that go back to the Android version used. Up to Android 9, it was therefore possible for apps to deactivate WLAN and thus have the smartphone switch to the mobile network. With newer operating systems, an app has to wait in the background and can be notified that a network change has taken place.
Finally, the malware has to intercept the one-time passwords, which are sent either via HTTP, USSD (a GSM protocol) or via SMS to the mobile phone. For USSD, this is only possible by hooking into accessibility services, the token must be extracted from HTTP responses. To intercept SMS, it is sufficient to query app permissions for android.permission.RECEIVE_SMS.
Conclude unwanted subscriptions
The fraudulent subscription then takes place in several steps:
- Deactivate the WLAN connection or wait for the switch to the mobile data network
- Secretly surf to the subscription page
- Automatically click the subscribe button
- One-time password (OTP) interception (if applicable)
- Sending the OTP to the service provider (if applicable)
- Discarding the SMS notifications (if applicable)
To hide from static detection, the malware uses mechanisms such as dynamic code loading. Parts of the malware code are only loaded if certain conditions are met. In their blog post, Microsoft’s virus researchers explain how the malware first recovers a password from its own resources, which is used to decrypt and start an AES-encrypted binary file in the application cache. In a second stage, an .apk file is decrypted and functions are executed from it, which in a third stage downloads a .jar file, which finally performs the fraudulent actions.
To protect against malware like this one , Microsoft discusses the usual advice, such as that applications should only be downloaded and installed from the official app store. In addition, users should not grant applications permissions for SMS or notification handlers or access to accessibility services. Malware protection is also recommended. And perhaps the most important tip comes at the end: Replace a smartphone that hasn’t received security updates for a long time with a newer device that is still supported by the manufacturer.
Malicious ones can often be found in the official app stores apps their way. Among other things, the cybercriminal measures described here help to load the malicious code in several stages. Nevertheless, the providers are more likely to find malware here – and can also render it harmless on the end devices.
