Toll fraud, one of the most prevalent types of Android malware, continues to evolve. In a blog post on Thursday, the Microsoft 365 Defender Research Team revealed the details of this threat – how it operates, how analysts can better identify such threats, and how Android security can be improved to mitigate this threat.
According to Microsoft’s blog, toll fraud malware is a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent. The malware accounted for 34.8% of installed Potentially Harmful Application (PHA) from the Google Play Store in the first quarter of 2022, ranking second only to spyware.
The malware has unique behaviors. While SMS or call frauds use a simple attack flow to send messages or calls to a premium number, toll fraud has a complex multi-step attack flow that malware developers continue to improve.
Microsoft security researchers observed new capabilities related to how this threat targets users of specific network operators. The malware performs its routines only if the device is subscribed to any of its target network operators. Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and also confirms it without the user’s consent, in some cases even intercepting the one-time password (OTP) to do so.
Thereafter, the malware suppresses subscription-related SMS notifications to prevent the user from becoming aware of the fraudulent transaction and unsubscribing from the service.
The Microsoft 365 Defender Research Team noted that the use of dynamic code loading makes it difficult for mobile security solutions to detect threats through static analysis.
“Despite this evasion technique, we’ve identified characteristics that can be used to filter and detect this threat. We also see adjustments in Android API restrictions and Google Play Store publishing policy that can help mitigate this threat,” the team said.
How to mitigate this threat?
Microsoft recommends end users to take the following steps to protect themselves from toll fraud malware:
- Avoid installing Android applications from untrusted sources (sideloading).
- Always follow up with device updates.
- Install applications only from the Google Play Store or other trusted sources.
- Avoid granting SMS permissions, notification listener access, or accessibility access to any app without a strong understanding of why it needs them. These are powerful permissions that are not commonly needed.
- Use a solution such as Microsoft Defender for Endpoint on Android to detect malicious apps.
- If a device is no longer receiving updates, strongly consider replacing it with a new device.