Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its “complex multi-step attack flow” and an improved mechanism to evade security analysis.
Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent.
It’s also different from other fleeceware threats in that the malicious functions are only carried out when a compromised device is connected to one of its target network operators.
“It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available,” Dimitrios Valsamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team said in an exhaustive analysis.
“Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user’s consent, in some cases even intercepting the one-time password (OTP) to do so.”
Such apps are also known to suppress SMS notifications related to the subscription to prevent the victims from becoming aware of the fraudulent transaction and unsubscribing from the service.
At its core, toll fraud takes advantage of the payment method which enables consumers to subscribe to paid services from websites that support the Wireless Application Protocol (WAP). This subscription fee gets charged directly to the users’ mobile phone bills, thus obviating the need for setting up a credit or debit card or entering a username and password.
“If the user connects to the internet through mobile data, the mobile network operator can identify him/her by IP address,” Kaspersky noted in a 2017 report about WAP billing trojan clickers. “Mobile network operators charge users only if they are successfully identified.”
Optionally, some providers can also require OTPs as a second layer of confirmation of the subscription prior to activating the service.
“In the case of toll fraud, the malware performs the subscription on behalf of the user in a way that the overall process isn’t perceivable,” the researchers said. “The malware will communicate with a [command-and-control] server to retrieve a list of offered services.”
Upon a successful fraudulent subscription, the malware either conceals the subscription notification messages or abuses its SMS permissions to delete incoming SMS messages containing information about the subscribed service from the mobile network operator.
Toll fraud malware is also known to cloak its malicious behavior by means of dynamic code loading, a feature in Android that allows apps to pull additional modules from a remote server during runtime, making it ripe for abuse by malicious actors.
From a security standpoint, this also means that a malware author can fashion an app such that the rogue functionality is only loaded when certain prerequisites are met, effectively defeating static code analysis checks.
“If an app allows dynamic code loading and the dynamically loaded code is extracting text messages, it will be classified as a backdoor malware,” Google lays out in developer documentation about potentially harmful applications (PHAs).
With an install rate of 0.022%, toll fraud apps accounted for 34.8% of all PHAs installed from the Android app marketplace in the first quarter 2022, ranking below spyware. Most of the installations originated from India, Russia, Mexico, Indonesia, and Turkey.
To mitigate the threat of toll fraud malware, it’s recommended that users install applications only from the Google Play Store or other trusted sources, avoid granting excessive permissions to apps, and consider upgrading to a new device should it stop receiving software updates.