Those still using older versions of the Android operating system are at risk.

Microsoft’s 365 Defender team has detected a new and evolving Android malware that targets users’ crypto wallets to steal funds without raising suspicion. According to researchers; the malware hunts for devices still using older versions of Android OS.

Toll fraud falls into a billing fraud subcategory that automatically signs the user for a premium service without asking for user content. Since it is continuously evolving, researchers regard it as dangerous Android malware.

A Novel Fraud

The malware has a unique attack approach compared to other billing frauds such as call or SMS fraud. Where other types of scams utilize standard attack flow involving making calls or sending messages to premium numbers, toll fraud uses a complicated multi-step attack flow, which the malware developers are continually improving.

Furthermore, Microsoft explained that the malware targets “specific network operators” and performs its routines only if the device is subscribed to one of its approved network operators. And it uses cellular data for its malicious operations by default. In fact, it forces devices to connect to a mobile network even when a Wi-Fi connection is available.

Attack Scenario

According to the findings shared by Microsoft’s researchers, the evolving toll fraud scheme exploits the Wireless Application Protocol (WAP) billing mechanism to target Android users. For your information, applications use WAP to charge users for paid content via their mobile phone bills. But, the malware can easily enroll the user in premium services since it utilizes cellular networks to function.

The attack chain commences when the user disconnects from a Wi-Fi network and connects to a mobile network. The Android malware quickly launched the subscription page and automatically subscribed the user to the service.

Once this is done, the malware reads a one-time password (OTP), if any, and fills the required fields to finish the subscription process. The attackers then disguise this activity by disabling SMS notifications.

Microsoft Warns Users About Dangerous New Android Malware toll fraud

Possible Dangers

According to Microsoft’s blog post, Toll fraud poses numerous risks, including the unwanted increase in your monthly phone bill. Since the malware hides behind legitimate apps requiring a wide range of permissions, it becomes impossible to detect it. It hides behind apps requesting SMS permissions, personalization, editing access, and communication-related privileges. Such as wallpaper or lock screen apps, chat/messaging apps, fake antivirus, and cleaner and camera apps.

It must be noted that the malware targets phones running Android 9 or older versions. This means mobile phones using Android version 10 or higher are safe. Still, it is recommended to install antivirus apps for added protection and avoid installing apps from 3rd-party sources.

More Android Malware News