Toll fraud malware: How an Android application can drain your wallet
Discription

Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware – and it continues to evolve.

Compared to other subcategories of billing fraud, which include SMS fraud and call fraud, toll fraud has unique behaviors. Whereas SMS fraud or call fraud use a simple attack flow to send messages or calls to a premium number, toll fraud has a complex multi-step attack flow that malware developers continue to improve.

For example, we saw new capabilities related to how this threat targets users of specific network operators. It performs its routines only if the device is subscribed to any of its target network operators. It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available. Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user’s consent, in some cases even intercepting the one-time password (OTP) to do so. It then suppresses SMS notifications related to the subscription to prevent the user from becoming aware of the fraudulent transaction and unsubscribing from the service.

Another unique behavior of toll fraud malware is its use of dynamic code loading, which makes it difficult for mobile security solutions to detect threats through static analysis, since parts of the code are downloaded onto the device in certain parts of the attack flow. Despite this evasion technique, we’ve identified characteristics that can be used to filter and detect this threat. We also see adjustments in Android API restrictions and Google Play Store publishing policy that can help mitigate this threat.

Toll fraud has drawn media attention since Joker, its first major malware family, found its way to the Google Play Store back in 2017. Despite this attention, there’s not a lot of published material about how this type of malware carries out its fraudulent activities. Our goal for this blog post is to share an in-depth analysis on how this malware operates, how analysts can better identify such threats, and how Android security can be improved to mitigate toll fraud. This blog covers the following topics:

* The WAP billing mechanism: An overview
* Fraudulent subscriptions via toll fraud
* Forcing cellular communication
* Fetching premium service offers and initiating subscriptions
* Intercepting OTPs
* Suppressing notifications
* Using dynamic code loading for cloaking
* Mitigating the threat of toll fraud malware
* Identifying potential malware
* Improving Android security and privacy

## The WAP billing mechanism: An overview

To understand toll fraud malware, we need to know more about the billing mechanism that attackers use. The commonly used type of billing in toll fraud is Wireless Application Protocol (WAP). WAP billing is a payment mechanism that enables consumers to subscribe to paid content from sites that support this protocol and get charged directly through their mobile phone bill. The subscription process starts with the customer initiating a session with the service provider over a cellular network and navigating to the website that provides the paid service. As a second step, the user must click a subscription button, and, in some cases, receive a one-time password (OTP) that has to be sent back to the service provider to verify the subscription. The overall process is depicted below:

![A diagram of how the Wireless Application Protocol billing process works. Interactions between the mobile device and premium service provider are mapped out, from the moment the device browses through services until the confirmation of service subscription.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-1-the-wap-billing-process-in-a-nutshell.png)Figure 1. The WAP billing process in a nutshell

It should be noted that the process depends on the service provider, thus not all steps are always present. For example, some providers do not require an OTP, which means that the mobile user can subscribe to a service by simply clicking the subscription button while the device is connected to a cellular network.

## Fraudulent subscriptions via toll fraud

We classify a subscription as fraudulent when it takes place without a user’s consent. In the case of toll fraud, the malware performs the subscription on behalf of the user in a way that the overall process isn’t perceivable through the following steps:

1. Disable the Wi-Fi connection or wait for the user to switch to a mobile network
2. Silently navigate to the subscription page
3. Auto-click the subscription button
4. Intercept the OTP (if applicable)
5. Send the OTP to the service provider (if applicable)
6. Cancel the SMS notifications (if applicable)

One significant and permissionless inspection that the malware does before performing these steps is to identify the subscriber’s country and mobile network through the mobile country codes (MCC) and mobile network codes (MNC). This inspection is done to target users within a specific country or region. Both codes can be fetched by using either the _TelephonyManager_or the _SystemProperties_class. The _TelephonyManager.getSimOperator()_ API call returns the MCC and MNCcodes as a concatenated string, while other functions of the same class can be used to retrieve various information about the mobile network that the device is currently subscribed to. As the network and SIM operator may differ (e.g., in roaming), the _getSimOperator_function is usually preferred by malware developers.

The same type of information can be fetched by using the _SystemProperties.get(String key)_ function where the key parameter may be one or several (using multiple calls) of the following strings:_ gsm.operator.numeric, gsm.sim.operator.numeric, gsm.operator.iso-country, gsm.sim.operator.iso-country, gsm.operator.alpha, gsm.sim.operator.alpha_

The difference with the first call is that the _android.os.SystemProperties_ class is marked as _@SystemApi_, therefore an application has to use Java reflection to invoke the function. The MNC and MCC codes are also used to evade detection, as the malicious activity won’t be performed unless the SIM operator belongs to the ones targeted:

![A screenshot of code snippet from the Joker malware. The code specifies that the malware will only run if the device is under a South African mobile operator.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-2-joker-malware-running-its-payload-targeting-south-african-mobile-operators-62bca491a07eb.png)_Figure 2. Joker malware running its payload, targeting South African mobile operators_

The following sections present an analysis of the fraudulent subscription steps in the context of the Android operating system. This analysis can help identify the API calls and the permissions needed for the implementation of a toll fraud scheme.

### Forcing cellular communication

Variants of toll fraud malware targeting Android API level 28 (Android 9.0) or lower disable the Wi-Fi by invoking the _setWifiEnabled _method of the _WifiManager _class. The permissions needed for this call are _ACCESS_WIFI_STATE_ and _CHANGE_WIFI_STATE_**. **Since the protection level for both permissions is set to normal, they are automatically approved by the system.

Meanwhile, malware targeting a higher API level uses the _requestNetwork_ function of the _ConnectivityManager_class. The [Android developers page]() describes the_ requestNetwork method _as:

_This method will attempt to find the best network that matches the given NetworkRequest, and to bring up one that does if none currently satisfies the criteria. The platform will evaluate which network is the best at its own discretion. Throughput, latency, cost per byte, policy, user preference and other considerations may be factored in the decision of what is considered the best network._

The required permission for this call is either _CHANGE_NETWORK_STATE_ (protection level: normal) or _WRITE_SETTINGS_(protection level: signature|preinstalled|appop|pre23), but since the latter is protected, the former is usually preferred by malware developers. In the code snippet depicted below from a malware sample that can perform toll fraud, the function _vgy7_is requesting a _TRANSPORT_CELLULAR_ transport type (Constant Value: 0x00000000) with _NET_CAPABILITY_INTERNET_ (Constant Value: 0x0000000c):__

![A screenshot of code snippet from a Joker malware where the malware requests for a TRANSPORT_CELLULAR transport type. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-3-code-from-a-joker-malware-sample-requesting-a-transport-cellular-transport-type.png)_Figure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport type_

_Figure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport type_

The _NetworkCallback_is used to monitor the network status and retrieve a _network_type variable that can be used to bind the process to a particular network via the _ConnectivityManager.bindProcessToNetwork_function. This allows the malware to use the mobile network even when there is an existing Wi-Fi connection. The proof-of-concept code depicted below uses the techniques described above to request a _TRANSPORT_CELLULAR_ transport type. If the transport type is available, it binds the process to the mobile network to load the host at example.com in the application’s WebView:

![A screenshot of proof-of-concept code to demonstrate a request for a TRANSPORT_CELLULAR transport type. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-4-proof-of-concept-code-to-request-a-transport-cellular-transport-type.png)_Figure 4. Proof-of-concept code to request a TRANSPORT_CELLULAR transport type_

While it is expected that the Wi-Fi connection is preferred even when mobile connection is also available, the process exclusively uses the cellular network to communicate with the server:

![A screenshot of two Android mobile browser screens, side by side. The browser screen on the left loads the content of example.com, while the browser screen on the right loads a blank page. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-5b-the-mobile-browser-loads-example-com-when-transport-cellular-transport-type-is-available.png)_Figure 5. The mobile browser loads example.com when TRANSPORT_CELLULAR transport type is available and loads a blank page when only Wi-Fi is available_

In fact, the user must manually disable mobile data to prevent the malware from using the cellular network**. **Even though the _setWifiEnabled_has been deprecated, it can still be used by malware targeting API level 28 or lower.

### Fetching premium service offers and initiating subscriptions

Assuming that the SIM operator is on the target list and the device is using a _TRANSPORT_CELLULAR_type network, the next step is to fetch a list of websites offering premium services and attempt to automatically subscribe to them.

The malware will communicate with a C2 server to retrieve a list of offered services. An offer contains, between else, a URL which will lead to a redirection chain that will end up to a web page, known as landing page.

What happens next depends on the way that the subscription process is initiated, thus the malware usually includes code that can handle various subscription flows. In a typical case scenario, the user has to click an HTML element similar to the one depicted below (JOIN NOW), and as a second step, send a verification code back to the server:

![A screenshot of a website offering subscriptions to apps and premium services. There are two banners on the website, with the one above displaying the text “Join Now”. The banner at the bottom displays sports-related images (football and car racing). ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-6-a-subscription-page-thats-loaded-in-the-background-without-the-users-knowledge.png)_Figure 6. A subscription page that’s loaded in the background without the user’s knowledge._

For the malware to do this automatically, it observes the page loading progress and injects JavaScript code designed to click HTML elements that initiate the subscription. As the user can only subscribe once to one service, the code also marks the HTML page using a cookie to avoid duplicate subscriptions. The following is an example of such a code:

![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-7-javascript-injected-code-scraping-related-html-elements.png)_Figure 7. JavaScript injected code scraping related HTML elements_

On line 76, _getElementsByTagName_returns a collection of all the Document Object Model (DOM) elements tagged as _input_. The loop on line 78 goes through every element and checks its _type_as well as its _name_, _value,_ and _alt_properties. When an element is found to contain keywords, such as “confirm”, “click”, and “continue”, it is sent to the _c_function, as depicted below:

![A screenshot of JavaScript code of a function where it simulates clicks on selected HTML elements.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-8-javascript-function-simulating-clicks-on-selected-html-elements-62bcbdc36d81e.png)_Figure 8. JavaScript function simulating clicks on selected HTML elements_

The _if_ statement on line 36 checks if the element has already been clicked by calling the _jdh _function, displayed below in Figure 12. Finally, the _c _function invokes the _click()_ or _submit()_ function by the time the branch on line 37 (see figure 11) is followed:

![A screenshot of the JavaScript code where the malware checks if a premium service page has already been visited. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-9-javascript-code-checking-if-the-page-has-already-been-visited.png)_Figure 9. JavaScript code checking if the page has already been visited_

The HTML page loading process is tracked using an _onPageFinished_callback of the _WebViewClient_attached to the WebView. Subsequently, a handler that listens for relative message types acts depending on the next steps that are required for the subscription to take place. In the code snippet below, the URL loaded in the WebView and a _signal_with _id_ “128”is sent to _handler2_to evaluate the service and initiate the subscription process:

![A screenshot of malware code where it checks for specific message types to determine the next steps required for a subscription to take place. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-10-malware-evaluating-the-steps-required-to-initiate-the-subscription-process.png)_Figure 10. Malware evaluating the steps required to initiate the subscription process_

Multi-step or target subscription processes may require additional verification steps. The handler depicted below checks the page URL loaded in the WebView. If the URL matches _doi[.]mtndep.co.za/service/,_ then the handler runs the JavaScript code assigned to the _Properties.call_jbridge_dump_ variable:

![A screenshot of malware code where it identifies the conditions required to determine what routine to run next. It assigns code based on specific conditions such as URL displayed.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-11-malware-running-code-depending-on-certain-conditions.png)_Figure 11. Malware running code depending on certain conditions_

A _signal_ with _id_ “107” triggers some additional steps that require communication with the command and control (C2) server. This case is demonstrated in the following figures:

![A screenshot of malware code that is run when a signal with the ID number “107” is identified. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-12-malware-running-code-depending-on-the-specific-signal-id.png)_Figure 12. Malware running code depending on the specific signal id_

Upon receiving the signal, the handler invokes the _v1.bhu8_ function:

![A screenshot of malware code where the handler invokes the v1.bhu8 function. The said function checks if a service related to anti-fraud protection is running on the device. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-13-malware-attacking-anti-fraud-protection.png)_Figure 13. Malware attacking anti-fraud protection_

After checking for the _web-zdm[.]secure-d[.]io/api/v1/activate_in the server’s reply, the malware invokes the _tpack[.]l2.bhu8[.]vgy7 _function. This function sends the current URL loaded in the application’s WebView as well as some extra information like country code, and HTML code:

![A screenshot if malware code where the malware sends information from the device to its C2 server. Sent information include country code, the HTML code of the website shown on the browser.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-14-malware-sending-information-to-the-c2-server.png)__Figure 14. Malware sending information to the C2 server__ ![A screenshot of malware code where a solver-type service is offered by the C2 server. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-15-a-solver-type-service-offered-by-the-c2-server.png)_Figure 15. A solver-type service offered by the C2 server_

### Intercepting OTPs

In most cases, the service provider sends an OTP that must be sent back to the server to complete the subscription process. As the OTP can be sent by using either the HTTP or USSD protocol or SMS, the malware must be capable of intercepting these types of communication. For the HTTP protocol, the server’s reply must be parsed to extract the token. For the USSD protocol, on the other hand, the only way to intercept is by using the accessibility service.

One method of intercepting an SMS message, requiring _android.permission.RECEIVE___SMS_ permission, is to instantiate a _BroadcastReceiver_ that listens for the _SMS__RECEIVED action.

The following code snippet creates a _BroadcastReceiver_and overrides the _onReceive_callback of the superclass to filter out messages that start with “rch”:

![A screenshot of malware code where the malware filters SMS messages that start with “rch”](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-16-code-that-filters-out-sms-messages-that-start-with-rch.png)_Figure 16. Code that filters out SMS messages that start with “rch”_

Subsequently, it creates an _IntentFilter_, which renders the receiver capable of listening for an _SMS_RECEIVED_ action, and finally the receiver is registered dynamically:

![A screenshot of the IntentFilter code, enabling the receiver to listen for any received SMS messages. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-17-the-intentfilter-enabling-the-receiver-to-listen-for-an-smsreceived-action-62bcbc599e278.png)_Figure 17. The IntentFilter enabling the receiver to listen for an SMS_RECEIVED action_

To handle OTP messages that are sent using the HTTP protocol, the malware parses the HTML code to search for keywords indicating the verification token. The following code contains a flow where the extracted token is sent to the server using the _sendTextMessage_ API call:

![A screenshot of the malware code where an extracted verification token from the OTP message is sent to the C2 server. The code indicates that this is done through the sendTextMessage API. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-18-extracted-token-is-sent-to-the-c2-server-using-the-sendtextmessage-api-call.png)_Figure 18. Extracted token is sent to the C2 server using the sendTextMessage API call_

The additional permission that is required to enable this flow is _SEND_SMS_.

Another way of intercepting SMS messages is to extend the _NotificationListenerService_. This service receives calls from the system when new notifications are posted or removed, including the ones sent from the system’s default SMS application. The code snippet below demonstrates this functionality:

![A screenshot of malware code where the NotificationLIstenerService is extended. This enables the app to receive calls from the system when new notifications are posted or removed.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-19-extending-the-notificationlistenerservice-service.png)_Figure 19. Extending the NotificationListenerService service_

We triggered a notification with the title “SMS_Received” and text “Pin:12345” during our analysis, resulting in the following output in the application’s logcat:

![A screenshot of the malware’s logcat. The logcat output shows that it is able to capture contents of a notification received by the device. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-20-logcat-output-after-a-notification-is-posted.png)_Figure 20. Logcat output after a notification is posted_

Finally, besides the broadcast receiver and the notification listener techniques of intercepting an SMS message, a [_ContentObserver_]() can be used to receive callbacks for changes to specific content. The _onChange_ callback of the _SmsObserver_ class (depicted below) is called each time the system changes the SMS content provider state:

![A screenshot of proof-of-concept code to demonstrate how the malware monitors for incoming SMS messages. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-21-the-proof-of-concept-code-monitoring-for-incoming-sms-messages-through-smsobserver.png)_Figure 21. The proof-of-concept code monitoring for incoming SMS messages through SmsObserver_

### Suppressing notifications

Since API level 18, an application that extends the _NotificationListenerService_ is authorized to suppress notifications triggered from other applications. The relevant API calls are:

* _cancelAllNotifications()_ to inform the notification manager to dismiss all notifications
* _cancelNotification(String key)_ to inform the notification manager to dismiss a single notification
* _cancelNotifications(String [] keys)_ to inform the notification manager to dismiss multiple notifications at once.

This API subset is abused by malware developers to suppress service subscription notification messages posted by the default SMS application. More specifically, upon successful subscription, the service provider sends a message to the user to inform them about the charges and offers the option to unsubscribe. By having access to the notification listener service, the malware can call any of the functions mentioned above to remove the notification.

### Using dynamic code loading for cloaking

Cloaking refers to a set of techniques used to hide malicious behavior. For example, most toll fraud malware won’t take any action if the mobile network is not among its targets. Another example of a cloaking mechanism used by these threats is dynamic code loading. This means that certain malware codes are only loaded when certain conditions are met, making it difficult to detect by static analysis.

The following is a characteristic example of a multi-stage toll fraud malware with SHA-256: _2581aba12919ce6d9f89d86408d286a703c1e5037337d554259198c836a82d75_ and package name: _com.cful.mmsto.sthemes_.

#### Stage one

This malware’s entry point is found to be the _com.android.messaging.BugleApplication_, a subclass of the _Application_ class. The malicious flow leads to the function below:

![A screenshot of malware code showing the function where the entry point of the malware leads to. This is the starting point of the dynamic code loading done by the malware. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-22-the-function-where-the-entry-point-of-the-malware-leads-to.png)_Figure 22. The function where the entry point of the malware leads to_

The call on line 21 fills the _files_array with the filenames fetched from the _assets_ directory. The _for loop_ enters the_if _branch at line 32 if the name of the asset file ends with “355”. Querying the asset files of the app for such a filename yields the following result:

![A screenshot of the result when querying the malware’s asset file for a file name that ends with “355”. The result is a file with the name PhoneNUmberAlternateFormatsProto_355](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-23-query-result-when-searching-for-355.png)_Figure 23. Query result when searching for “355”_

The _PhoneNumberAlternateFormatsProto_355_ is the source file which, in conjunction with a destination file and the string “xh7FEC2clYuoNQ$ToT99ue0BINhw^Bzy”, is given as parameters to the _ns.j_ function:

![A screenshot of the code of the ns.j function. It shows that the function accepts parameters from the source file PhotoNumberAlternateFormatsProto_355.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-24-the-nsj-function.png)_Figure 24. The ns.j function_

The _SecretKeySpec_ on line 68 is constructed from the first 16 bytes of the SHA-1 digest of the password string. This key is used to decrypt the file fetched from the assets using Advanced Encryption Standard (AES) in electronic codebook (ECB) mode. The decryption result is an ELF file that is saved in the application’s cache directory and loaded using the _System.load_ function.

#### Stage two

The loaded library fetches the _PhoneNumberAlternateFormatsProto_300_file from the assets folder using the _AAssetManager_fromJava_ function and writes it to a temporary file with the name _b_ in the _/data/data/<package_name>/_ directory, as seen on line 93 below:

![A screenshot of code wherein the malware fetches the second payload from the assets directory. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-25-fetching-the-second-payload-from-the-assets-directory.png)_Figure 25. Fetching the second payload from the assets directory._

The file _b_ is then decrypted using an XOR operation with the key “xh7FEC2clYuoNQ$ToT99ue0BINhw^Bzy”, which is given from the Java side (see following figures). The decrypted payload is saved with the name _l_ in the application’s data directory:

![A screenshot of code where the malware decrypts the asset with the name “l_file_fd”. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-26-decrypting-the-assets-file.png)_Figure 26. Decrypting asset_ ![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-27-the-native-handletask-called-from-the-Java-code.png)

_Figure 27. The native handleTask called from the Java code_

The same function loads the decrypted payload _l_ and invokes the _com.AdsView.pulgn_ using the _DexClassLoader_ class loader (variable names have been changed for clarity):

![A screenshot of the malware code where it loads the decrypted asset using the DexClassLoader class loader. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-28-dynamically-loading-the-decrypted-asset-using-the-dexclassloader.png)_Figure 28. Dynamically loading the decrypted asset using the DexClassLoader_

Decrypting the second payload manually yields the following APK file:

![A screenshot of the code of the decrypted asset which is an APK file. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-29-the-decrypted-apk-file.png)_Figure 29. The decrypted APK file_

It must be mentioned that the _DexClassLoader_can be used to load classes from .jar and .apk files that contain a _classes.dex_ entry.

#### Stage three

This decrypted APK consists of two main classes: the _com.Helper_and _com.AdsView_. The _com.AdsView.pulgn_function is the first to be invoked by the native library described in the previous section:

![A screenshot of the code for the pulgn function, which is the first to be invoked once the payload is loaded. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-30-pulgn-is-the-first-function-to-be-invoked-when-the-payload-is-loaded.png)_Figure 30. pulgn is the first function to be invoked when the payload is loaded_

The runnable thread’s main functionality is to connect the host to _xn3o[.]oss-accelerate[.]aliyuncs[.]com_ and download a JAR file named _xn30_, which is saved to the cache directory with name _nvi_ and then loaded using the _startSdk_ function, as shown on line 81 below:

![A screenshot of the malware code where it triggers the download of the final payload. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/06/fig-31-download-and-trigger-the-final-payload.png)_Figure 31. Download and trigger the final payload_

The file _xn30_ is the final payload of stage three and is the one that performs the toll fraud activities previously described.

## Mitigating the threat of toll fraud malware

Toll fraud is one of the most common malware categories with high financial loss as its main impact. Due to its sophisticated cloaking techniques, prevention from the side of the user plays a key role in keeping the device secure. A rule of thumb is to avoid installing Android applications from untrusted sources (sideloading) and always follow up with device updates. We also recommend end users take the following steps to protect themselves from toll fraud malware:

* Install applications only from the Google Play Store or other trusted sources.
* Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it. These are powerful permissions that are not commonly needed.
* Use a solution such as [Microsoft Defender for Endpoint on Android]() to detect malicious applications.
* If a device is no longer receiving updates, strongly consider replacing it with a new device.

### Identifying potential malware

For security analysts, it is important to be aware that conventional mitigation techniques based on static detection of malware code patterns can only offer limited remediation against this malware. This is due to the extended use of reflection, encryption, compression, obfuscation, steganography, and dynamic code loading.

There are, however, characteristics that can be used to identify this type of malware. We can classify these characteristics into three:

* Primary characteristics – patterns in plaintext included in the application that can be analyzed statically
* Secondary characteristics – common API calls used to conduct toll fraud activities
* Tertiary characteristics – patterns in Google Play Store metadata such as the application’s category, the developer’s profile, and user reviews, among others

The tertiary characteristics are useful for initial filtering for potential malware. Patterns observed in the apps’ metadata are related to malware developers’ attempts to infect as many devices as possible in a short amount of time, while remaining published on the Google Play Store for as long as they can. We’ve observed that attackers often follow these steps to keep their apps in the Google Play Store:

1. Use open-source applications that belong to popular categories and can be trojanized with minimal effort. The preferred application [categories]() include personalization (like wallpaper and lock screen apps), beauty, editor, communication (such as messaging and chat apps), photography, and tools (like cleaner and fake antivirus apps).
2. Upload clean versions until the application gets a sufficient number of installs.
3. Update the application to dynamically load malicious code.
4. Separate the malicious flow from the uploaded application to remain undetected for as long as possible.

These applications often share common characteristics:

* Excessive use of permissions that are not suitable to the application’s usage (for example, wallpaper, editor, and camera apps that bind the notification listener service or ask for SMS permissions)
* Consistent user interfaces, with similar icons, policy pages, and buttons
* Similar package names
* Suspicious developer profile (fake developer name and email address)
* Numerous user complaints in the reviews

Once potential malware samples are identified based on these tertiary characteristics, the primary characteristics can be used for further filtering and confirmation. Applications cannot obfuscate their permission requests, use of the notification listener service, or use of accessibility service. These requests must appear in the _AndroidManifest.xml_ file within the APK, where they can be easily detected using static analysis. The commonly requested permissions by malware performing toll fraud may include:_ READ_SMS, RECEIVE_SMS, SEND_SMS, CHANGE_WIFI_STATE, ACCESS_WIFI_STATE, CHANGE_NETWORK_STATE_. Requests for notification listener and accessibility service should be considered extremely suspicious.

Secondary characteristics also include suspicious API calls including: _setWifiEnabled, requestNetwork, setProccessDefaultnetwork, bindProcessToNetwork, getSimOperator_ and _cancelAllNotifications_. However, since these calls may be obfuscated and may be hard to identify during static analysis, a more in-depth analysis may be necessary for certainty.

### Improving Android security and privacy

Google continuously improves Android security and privacy as the mobile threat landscape evolves and new threats and adversary techniques are discovered. For example, in the operating system, API calls that can reveal potentially sensitive information continue to be removed or restricted, and in the Google Play Store, the publication policies guard against use of certain high-risk permissions (for example, the ability to receive or send SMSs) by requiring a [Permission Declaration Form]() to be completed justifying their use. We anticipate Android security will continue to evolve to address abuse.

As discussed, applications currently can identify the cellular network operator and can send network traffic over the cellular network without any transparency to the user. Additionally, applications can request access to read and dismiss notifications, a very powerful capability, without needing to justify this behavior.

## Conclusion

Toll fraud has been one of the most prevalent types of Android malware in Google Play Store since 2017, when families like Joker and their variants made their first appearance. It accounted for 34.8% of installed Potentially Harmful Application (PHA) from the [Google Play Store in the first quarter of 2022](), ranking second only to spyware.

By subscribing users to premium services, this malware can lead to victims receiving significant mobile bill charges. Affected devices also have increased risk because this threat manages to evade detection and can achieve a high number of installations before a single variant gets removed.

With this blog, we want to inform end users about the details of this threat and how they can protect themselves from toll fraud. We also aim to provide security analysts with guidance on how to identify other malicious applications that use these techniques.

Our in-depth analysis of this threat and its continuous evolution informs the protection we provide through solutions like Microsoft Defender for Endpoint on Android.

[Learn how Microsoft Defender for Endpoint provides cross-platform security, including mobile threat defense capabilities]().

_**Dimitrios Valsamaras **and **Sang Shin Jung**
Microsoft 365 Defender Research Team_

## Appendix

### Samples (SHA-256)

**Sample**| **SHA-256**
—|—
Initial APK file| 2581aba12919ce6d9f89d86408d286a703c1e5037337d554259198c836a82d75 (com.cful.mmsto.sthemes)
Payload of stage two: Elf File (loader)| 904169162209a93ac3769ae29c9b16d793d5d5e52b5bf198e59c6812d7d9eb14 (PhoneNumberAlternateFormatsProto_355, decrypted)
Payload of stage three: APK (hostile downloader)| 61130dfe436a77a65c04def94d3083ad3c6a18bf15bd59a320716a1f9b39d826 (PhoneNumberAlternateFormatsProto_300, decrypted)
Payload of stage four: DEX (billing fraud)| 4298952f8f254175410590e4ca2121959a0ba4fa90d61351e0ebb554e416500f

### Common API calls and permissions

**API Calls**| **Permissions**| **SDK**
—|—|—
setWifiEnabled| CHANGE_WIFI _STATE ACCESS_WIFI_STATE| <29
requestNetwork| CHANGE_NETWORK_STATE| >28
setProcessDefaultNetwork| | <23
bindProcessToNetwork| | >22
getActiveNetworkInfo| ACCESS_NETWORK_STATE|
getSimOperator| |
get (SystemProperties)| |
addJavascriptInterface| |
evaluateJavascript| | >18
onPageFinished| |
onPageStarted| |
onReceive for SMS BroadcastReceiver w/ android.provider.Telephony.SMS_RECEIVED| RECEIVE_SMS| >19
createFromPdu| RECEIVE_SMS|
getMessageBody| |
onChange for SMS ContentObserver w/ android.provider.telephony.SmsProvider’s content URI (“content://sms”)| READ_SMS|
sendTextMessage| |
onNotificationPosted| |

### References

* [Everything You Need to Know About Toll Fraud – Voice & Video – Twilio]()
* [Google Online Security Blog: PHA Family Highlights: Bread (and Friends) (googleblog.com)]()
* [Malware categories | Play Protect | Google Developers]()
* [ConnectivityManager | Android Developers]()
* [DexClassLoader | Android Developers]()
* [Use of the AccessibilityService API – Play Console Help (google.com)]()

The post [Toll fraud malware: How an Android application can drain your wallet]() appeared first on [Microsoft Security Blog]().Read More

Back to Main

Subscribe for the latest news: