Toll Fraud Malware Disables your WiFi to Force Premium Subscriptions
Microsoft is warning that toll fraud malware is one of the most prevalent threats on Android and that it is evolving with features that allow automatic subscription to premium services.
Toll fraud is a subset of billing fraud, where the threat actor tricks victims into calling or sending an SMS to a premium number.
The difference is that toll fraud does not work over WiFi and forces the devices to connect to the mobile operator’s network.
Microsoft showed this in sample code from Joker malware that has constantly found its way into Google’s Play Store for more than half a decade.
Toll fraud malware then uses the ‘NetworkCallbak’ to monitor the network status and get the ‘networktype’ variable to bind the process to a specific network, thus forcing the device to ignore an available WiFi connection and use the mobile operator’s.
The only way for the user to avoid this is to manually disable mobile data.
If the victim’s mobile carrier is on the target list, the malware proceeds to fetch a list of websites that provide premium services and tries to subscribe to them automatically.
While there are multiple subscription scenarios, users normally click on an HTML element and then send a verification code to the server.
Microsoft notes that sometimes additional verification may be required. Toll fraud malware samples the company analyzed have methods to achieve that, too.
Some operators finish the subscription only after checking that the user authorized it via an OTP code delivered over SMS, HTTP, or USSD (Unstructured Supplementary Service Data), with the first two being the more popular.
Android malware stealing SMS data is nothing special and collecting messages received over the HTML protocol the code needs to be parsed for strings that indicate a verification token.
Once the threat actor obtains the authorization code, they are free to complete the subscription to the selected premium service.
This is not enough, though, since victims could get notifications about the subscription, so these need to be suppressed.
“Since API level 18, an application that extends the NotificationListenerService is authorized to suppress notifications triggered from other applications” – Microsoft
Malware developers have a subset of three API calls they can abuse to silence SMS notifications from other applications:
- cancelAllNotifications() to inform the notification manager to dismiss all notifications
- cancelNotification(String key) to inform the notification manager to dismiss a single notification
- cancelNotifications(String  keys) to inform the notification manager to dismiss multiple notifications at once
Developers of toll fraud malware also implement mechanisms to keep the malicious behavior as discreet as possible. One way is to keep the malware inert if the mobile network of the infected device is not on the list.
Another method is to use dynamic code loading, which allows certain code to load only if specific conditions are met. This makes spotting the malware more difficult, especially on static analysis.
Keeping toll fraud malware off your device comes down to checking that the source for downloading your Android source is trustworthy, such as Google’s Play Store/
Additionally, looking at the permissions requested upon installation is a good way to reduce the risk of malware running rampant on your device as well as protect your privacy.
Microsoft also recommends users avoid allowing apps to read or send SMS, access to notifications, or accessibility unless these permissions are needed for normal functioning.