Toll fraud malware is one of the most common types of Android malware, a subset of billing fraud in which malicious programs subscribe customers to premium services without their knowledge or agreement.
Toll fraud behaves differently from other types of billing fraud, such as SMS fraud and call fraud. To transmit messages or calls to a premium number, SMS fraud or phone fraud use a simple attack flow, whereas toll fraud involves a sophisticated multi-step attack flow that malware authors are constantly improving.
Once a connection to a target network is confirmed, it surreptitiously launches and confirms a fraudulent subscription without the user’s knowledge, in certain circumstances intercepting the one-time password (OTP). It then suppresses SMS subscription notifications to keep the user from becoming aware of the fraudulent transaction and unsubscribing from the service.
Another distinguishing feature of toll fraud malware is its use of dynamic code loading, which makes it difficult for mobile security solutions to detect threats via static analysis because sections of the code are downloaded onto the device at different points in the attack flow. Despite this method of evasion, we have uncovered characteristics that can be utilized to filter and detect this danger. We also see changes in Android API limits and Google Play Store publication policies that may aid in mitigating this issue.
How to understand toll fraud malware
To comprehend toll fraud software, we must first learn more about the billing technique employed by attackers. Wireless Application Protocol billing is the most widely used method of billing in toll fraud (WAP). WAP billing is a payment system that allows consumers to subscribe to paid content from sites that support this protocol and have their mobile phone bill charged directly.
The customer begins the subscription process by establishing a session with the service provider through a cellular network and travelling to the website that provides the paid service. The user must then click a subscription button and, in some situations, receive a one-time password (OTP) that must be provided back to the service provider to confirm the subscription.
When a subscription is obtained without the user’s consent, it is considered fraudulent
Toll fraud occurs when malware performs the subscription on the user’s behalf in such a way that the total procedure is not discernible through the following steps:
- Disable the Wi-Fi connection or wait for the user to switch to a mobile network
- Silently navigate to the subscription page
- Auto-click the subscription button
- Intercept the OTP (if applicable)
- Send the OTP to the service provider (if applicable)
- Cancel the SMS notifications (if applicable)
Toll fraud is one of the most widespread types of malware, with a significant financial impact. Because of its complex cloaking techniques, user prevention is critical in keeping the gadget secure. As a general guideline, avoid installing Android apps from untrusted sources and always keep up with device upgrades.
Precautionary steps:
- Install apps exclusively from the Google Play Store or other reputable sources.
- Allowing SMS rights, notification listener access, or accessibility access to any application without a clear understanding of why the program need it is a bad idea. These are strong permissions that are rarely required.
- To detect malicious applications on Android, use a solution such as Microsoft Defender for Endpoint.
- If a device is no longer receiving updates, it is strongly recommended that it be replaced with a new device.
Since 2017, when families like Joker and its variants first appeared in the Google Play Store, toll fraud has been one of the most common types of Android malware.
This malware can cause high mobile bill charges by subscribing consumers to premium services. Affected devices are also at greater danger because this threat is capable of evading detection and achieving a large number of installations before a single variation is eliminated.
Leave a Reply