The Microsoft 365 Defender Research Team recently shared a post, explaining how a toll fraud malware can subscribe users to premium services, without them ever finding out and realizing it. The malware has improved a lot over the years, and it can hide all of its tracks, leaving the user with a drained wallet.

In a new blog post, the Microsoft 365 Deferender Research Team explained how the toll fraud malware works, and how it can be used to subscribe users to premium services, without them ever finding out about it. The malware has many unique behaviors. And it can easily target specific network operators and hide its tracks.

The malware has a lot of steps to execute, and it’s called “toll frauds”, because it charges the user’s telecom bill, instead of requiring a credit or debit card. It can use “dynamic code loading” to infect users and devices and exploits the WAP (Wireless Application Protocol) protocol that is widely used by network operators.

Once a device is connected to the target network, the device then subscribes to fraudulent services without the user’s consent. The malware may be able to disable the user’s Wi-Fi connection, or wait for it to go outside of the Wi-Fi coverage.

The malware can also intercept and access the one-time passwords (OTP), usually sent to authenticate purchases. The malware also hides any notifications and can fill out the information on the user’s behalf, completely hiding all of its tracks. Users often find out about the malware once it’s too late, and they must pay at the end of their agreement or the end of the month.

Smartphone malware

Source: Pexels

The telecom scam technique has been widely used in the past, and it has started to take off again in recent years. It’s also a popular method in developing countries, as most people often only use prepaid or monthly SIM services, letting the attackers grab a large sum of money.

There’s no sign of this method slowing down anytime soon, and we suspect it’ll be here to stay in the long run. Once the malware is executed correctly, it only has to go through the steps to start collecting money from unsuspected users. The Toll Fraud malware has also been the most prevalent type on Android since 2017. The malware has accounted for 34.8% of installed Potentially Harmful Application (PHA) from the Google Play Store in the first quarter of 2022, ranking second to spyware.

How to prevent it?

Google Play Store

Source: Unsplash: obionyeador

Fortunately, the malicious code is mainly distributed outside the Google Play Store, since Google restricts the use of dynamic code to be loaded onto any apps on the Google Play Store. The chances of general users being affected are low, but it can happen upon accessing third-party and unknown applications from outside of the Google Play Store.

We strongly encourage you to only download files that you can verify. Using third-party services always comes with risks, and we recommend against using them. It’s also worth pointing out that Google’s own system isn’t perfect, and things can also get uploaded to the Play Store by accident.

The Defender Team also recommends that users “avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it.”

Additionally, the team recommends users to upgrade their devices once they are no longer expected to receive any more updates. New security patches can be downloaded semi-frequently, keeping you safe from malware and other fraudulent actions.

If you’d like to find out more about how the malware works, and how it can be executed on a device, check out the Microsoft blog post with more detailed explanations. The team explains the process and demonstrates the method with clear examples.