Android malware was detected with the ability to disable Wi-Fi and intercept phone messages
Malware developers focused on the Android platform are at it again and have designed apps that, while disabling a device’s Wi-Fi connection, secretly eavesdrop on users’ expensive wireless subscriptions and text messages. All these actions are an attempt to get huge sums of money from uninformed users.
According to Ars Technica’s report and quoting Microsoft’s press release, such security threats have been seen on the Android platform for years, and a prominent example of them is a set of malware known as Joker. Joker malware has infected millions of smartphones since 2016. Despite the awareness of this security problem, little attention has been paid to the techniques used by such malware (Toll Fraud category). Microsoft has recently investigated this security problem in a technical and detailed way.
In this type of fraud, a mechanism called WAP (Wireless Application Protocol) is used. This protocol provides a means to access information through the mobile network. Mobile phone users can subscribe to these services by going to the website of the providers while their device is connected to the SIM card internet.
The user clicks on a specific option on the website of these companies, and sometimes the operator sends a one-time password to the user via SMS and asks him to enter the password on the site to complete the process of subscribing to the service. The purpose of the malicious apps is to automatically subscribe smartphones to these WAP services without the user’s knowledge.
Microsoft says that its researchers have found malware that automatically enrolls the user in WAP services by performing certain actions. These applications initially disable the Wi-Fi connection or wait for the user to go to the SIM card internet. Then the applications enter the subscription purchase page without the user’s knowledge, click on the subscription purchase option, intercept the one-time password, send that password to the WAP service provider, and finally disable the SMS notification. After completing these steps, the user has subscribed to one of the WAP services without knowing it.
Malware developers have various ways to force smartphones to use SIM card internet even when Wi-Fi is on. On devices running Android 9 and older, developers can
setWifiEnabled in part
WifiManager are called In Android 10 and newer versions, the developers find the feature
requestNetwork in part
ConnectivityManager they are going. Finally, the developer makes the phone load data exclusively through the SIM card’s Internet.
When the phone is connected to the SIM card internet, the malware opens the browser page in the background without the user’s knowledge and enters the WAP service page and clicks on the subscription purchase option. The final subscription verification step becomes a bit more difficult; Because the confirmation request is provided via SMS or HTTP and USSD protocols.
Microsoft has announced various methods that developers can rely on to bypass SMS, HTTP, and USSD requests. WAP service providers periodically send SMS messages to the user to inform him of his membership in the subscription service. According to Microsoft, malware can even disable these SMS messages.
Microsoft researchers say: “These malwares may greatly increase the cost of the victims’ mobile bills by enrolling users in premium services. Affected devices are less secure; Because it is not possible to detect malware. “A large number of users may install this malware before it is removed.”
Google is actively detecting malware in the Play Store, and whenever it detects that a particular app is using malicious code, it stops its release. Experience shows that malicious apps are usually downloaded millions of times before they are removed from the Play Store.