Microsoft has warned users against toll fraud malware that allows automatic subscription to premium services. The malware is one of the most prevalent threats on Android devices.

The toll fraud malware

A detailed report by Microsoft offers technical information on how toll fraud malware works and how it can be stopped on Android.
  • Toll fraud works over Wireless Application Protocol (WAP) that allows consumers to subscribe to paid content.
  • Doing so needs a connection over the mobile network and the customer has to click on a subscription button.
  • The malware collects data on the subscriber’s country and mobile network, for which Android requires permission.

Malware threats, that enable toll fraud, perform the steps mentioned above automatically by initiating fraudulent subscriptions, observing OTPs, and suppressing notifications that could alert the victim.

Staying stealthy

  • The malware operators have implemented mechanisms to keep the malware static if the mobile network of infected devices is not on the list. This keeps the malicious behavior hidden.
  • Another technique is dynamic code loading which allows certain code to load only if certain conditions are met. This makes detecting the malware harder.

Additional Insights

  • Another main malware tactic involves disabling the WiFi connection and forcing the device to use the operator's network. This can be done on Android 9 or any lower version with a normal protection permission level.
  • For higher API levels, there is the ‘requestNetwork’ function that comes under the CHANGE_NETWORK_STATE permission, which further comes with an average protection level.

Security tips

To stay protected from toll fraud malware, users are recommended to ensure that they download apps or other media from a reliable source. Additionally, always look at permissions requested upon installation to minimize the risk of malware running wild on smartphones.
Cyware Publisher