Microsoft has warned against charge-frauding malware on Android with a complex multi-step attack process and security analysis avoidance mechanism.
According to Microsoft, malicious Android apps target hidden subscriptions, sending users to paid content without their knowledge. It differs from other threats in that the malicious function is performed only when the device connects to one of the target carriers.
research team Microsoft says the malware forces devices to stay connected to a cellular network even when a Wi-Fi connection is available. At that time, the program will stealthily register and confirm without the user’s knowledge, even blocking the OTP number sent to the message.
Basically, this form of payment allows users to subscribe to paid services from websites that support Wireless Application Protocol (WAP). This subscription fee is charged directly to the mobile phone bill, thus eliminating the need to set up a credit or debit card or need to enter a name and password.
In 2017, Kaspersky mentioned the WAP payment trojan with a similar form. In the case of an attack, the malware performs registrations on behalf of the user without them being recognized, the researchers say.
The Trojan will receive commands from the control server to retrieve the list of services provided. Next is to use JavaScript code to secretly register for the service, block, and send OTP code (if any) to complete. JavaScript code designed to click on HTML elements containing keywords like “confirm”, “click”, and “continue” to register.
The toll fraud Trojan also hides suspicious behavior by loading code dynamically, using a feature in Android that allows apps to load additional modules from an external server at runtime.
This has been exploited by hackers, from a security perspective, this has made it possible for hackers to create legitimate-looking applications, while the phishing function only loads when certain conditions are met, thereby causing code analysis testing to become disabled.
Google collectively refers to potentially harmful applications (PHAs). Fraudulent apps accounted for 34.8% of all PHAs installed from the Google Play store in the first quarter of 2022, just below spyware. Most of the software installations come from India, Russia, Mexico, Indonesia, and Turkey.
To minimize harm, users should only install apps from the Google Play store or trusted sources, avoid granting multiple permissions to apps, and consider upgrading to a new Android device if the current smartphone is discontinued. get software updates due to being too old.