Microsoft warned users of “toll fraud“active malware Android which can drain your mobile wallet by turning off Wifi connection.
Compared to other sub-categories of billing fraud, which include SMS fraud and call fraud, tariff fraud has unique behaviors.
According to the research team of Microsoft 365 Defender, while SMS fraud or toll fraud uses a simple attack flow to send messages or calls to a premium number, toll fraud has a complex, multi-stage attack flow that developers malware continues to improve.
“For example, we have seen new features related to how this threat targets users of specific network operators. It only performs its routines if the device is subscribed to any of its target network operators,” he warned. ‘agency.
Also, by default, it uses the cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available.
Once the connection to a target network is confirmed, it covertly initiates a fraudulent subscription and confirms it without the user’s consent, in some cases even intercepting the one-time password (OTP) to do so.
“It then suppresses the subscription-related SMS notifications to prevent the user from learning about the fraudulent transaction and unsubscribing from the service,” Microsoft explained.
Another unique behavior of paid fraud malware is the use of dynamic code loading, which makes it difficult for mobile security solutions to detect threats.
Despite this evasion technique, the team has identified characteristics that can be used to filter and detect this threat.
“We also see adjustments in Android API restrictions and the Google Play Store publishing policy that can help mitigate this threat, ”the company said.
“A rule of thumb is to avoid installing Android apps from untrusted sources (sideloading) and always follow device updates,” advised Microsoft.
“Avoid granting SMS permissions, notification listener access, or accessibility access to any application without a clear understanding of why the application needs it,” he added.
FacebookTwitterLinkedin
