New Android malware for fraudulent subscriptions discovered by Microsoft
The security team from Microsoft's 365 Defender Research undertaking has discovered a new type of money-grabbing Android malware that aims to steal your hard-earned cash with one of the most dangerous methods ever devised - subscribing you for paid services on its own volition.
The so-called toll fraud method uses the ancient Wireless Application Protocol (WAP) protocol that connects you to the mobile Internet and that your carrier uses to charge you for legitimate services like Spotify or even HBO Max.
Upon disconnection from a Wi-fi network, the new malware opens a subscription page and fills in your details, including any one-time passwords that are needed. This happens while text messaging services are temporarily disabled so you don't get any subscription notification until you get your monthly phone bill and get surprised.
Alternatively, you just pay without looking and the scam goes on for months. The Android malware is written in a way that it will look like an average service to the unsuspicious user, hiding behind unnecessary permissions.
"Variants of toll fraud malware targeting Android API level 28 (Android 9.0) or lower disable the Wi-Fi by invoking the setWifiEnabled method of the WifiManager class. The permissions needed for this call are ACCESS_WIFI_STATE and CHANGE_WIFI_STATE. Since the protection level for both permissions is set to normal, they are automatically approved by the system," say Microsoft's researcher.
If an app that is designed to do something totally unrelated asks for text messaging permissions, say the researchers, this should immediately raise your level of suspicion. The best way to avoid the new toll fraud Android malware, says Microsoft, is simply to run a phone with Android 10 or later.
Up until Android 9, these types of apps could skirt away undetected so if you are running an older Android version, you'd better update your phone, or if there isn't any update for it anymore, at least install some sort of security application on it.
Things that are NOT allowed: