Last month, we wrote about malicious Android apps containing a trojan that researchers have dubbed “SMSFactory.” This little bit of malware exists to contaminate Android telephones and conduct SMS billing fraud. SMSFactory makes use of SMS and telephone permissions to usually ship premium textual content messages and make calls to premium numbers. Premium calls and texts add charges to telephone payments, which clients need to pay on the finish of their billing cycles. The victims of this sort of fraud find yourself paying costlier telephone payments, and the additional cash is directed to the cybercriminals who personal and function the premium telephone numbers.

SMSFactory isn’t the one malware that conducts this sort of fraud. SMSFactory has to date been present in malicious apps that have to be side-loaded onto Android telephones. However, unhealthy actors have managed to sneak malicious apps bearing the Joker malware household into the Google Play Store time and time once more since its first look in 2017. Among different malicious actions, Joker subscribes its victims to paid providers through SMS.

The Wireless Application Protocol billing course of (source: Microsoft)

After years of Joker and different malware households afflicting Android customers with costly telephone payments, Microsoft has printed a prolonged and detailed breakdown of how these types of malware commit billing fraud. Malicious billing fraud of the type performed by SMSFactory and Joker depends on the Wireless Application Protocol (WAP). The WAP billing course of has a one time password (OTP) safeguard to make sure that telephone customers imply to subscribe to premium providers. However, this safeguard isn’t at all times current, and, even when it’s, malware builders have found out easy methods to get round it.

According to Microsoft, the malware assault chain often begins with the malware both disabling the Wi-Fi connection or ready for the consumer to modify from Wi-Fi to cell knowledge. Once the contaminated telephone is linked to a cell community, the malware navigates to a premium service subscription web page, and injects javascript into the web page that clicks the subscription button. If the WAP OTP safeguard applies, then the malware intercepts the OTP that’s despatched over textual content, sends the OTP to the service supplier, and finishes by canceling the SMS notifications which may alert the sufferer to the unauthorized premium subscription.

This automated subscription course of is a reasonably devilish solution to commit fraud, however Microsoft has some recommendations for avoiding the malware that carries out this fraud. The firm’s 365 Defender Research Team recommends that customers persist with putting in apps from the Google Play Store or different trusted sources and keep away from giving apps SMS permissions, notification listener entry, or accessibility entry with out understanding why the apps want these permissions. The workforce additionally suggests utilizing a trusted anti-virus answer and retiring telephones which can be now not receiving updates.