Android users at risk of new wallet-draining attacks

Owners of Android smartphones are at risk of a new type of billing fraud designed to trick them into paying for premium subscription packages, Microsoft has warned.

In an extensive blog post, detailing how the entire scheme operates, Microsoft explained that toll fraud malware is “one of the most prevalent types” on Android and that it just keeps evolving. Toll fraud is also quite complex, compared to its close relatives, SMS fraud and call fraud.

These apps use specific network operators, running their operations only if the compromised endpoint is subscribed to one of its target operators.

If these conditions are met, the app will subscribe to a service, completely out of sight for the device owner, and will even intercept one-time password SMS messages and other notifications. 

Toll fraud malware is also known for dynamic code loading, as this makes it harder for mobile security software to detect any foul play through static analysis.

Prevention and mitigation

However, Microsoft says there are characteristics that can be used to filter and detect these threats, and there are also adjustments in Android API restrictions and Google Play Store publishing policy, that can help mitigate the threat, the company added.

The first major malware variant in the toll fraud family was Joker, which managed to wiggle its way into the Google Play Store some five years ago. Its main goal is to generate as big of a financial impact on the victim as possible.

As it carries sophisticated cloaking techniques, the best way to protect your devices from such malware is to make sure it doesn’t get installed in the first place.

As a general rule of thumb, Microsoft reminds, Android apps should not be sideloaded (installed from untrusted sources)  and should always be kept up to date. Furthermore, apps should not be given SMS permissions, access to the notification listener or accessibility access unless there is a clear reason they are necessary.