There’s a nasty Android bug on the loose, according to the Microsoft 365 Defender Research Team (opens in new tab), and it can drain your wallet if you’re not cognizant of its presence. The vulnerability, called toll fraud malware, facilitates billing fraud, allowing malicious actors to secretly sign you up for paid services on your behalf.
What’s worse is that cybercriminals can suppress text messages sent to subscribers informing them about the new paid app that, unbeknownst to them, they signed up for.
How toll fraud malware works
So how do malicious actors get you to sign up for subscriptions without your consent? They take advantage of a mechanism called Wireless Application Protocol billing, which sends charges directly to consumers’ phone bills after they’ve made a purchase (eg, HBO Max)
They also disable victims’ Wi-Fi because toll fraud malware requires a cellular connection to be successful. According to the Microsoft 365 Defender Research Team, threat actors target users of specific network operators. “Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user’s consent,” the researchers said.
Toll fraud malware can even intercept one-time passwords (OTPs) that are often sent to subscribers to verify paid services. Some providers don’t roll out OTPs, which means hackers can subscribe to apps on victims’ behalf with just one click.
As mentioned, even text messages about the new subscription get thwarted. “By having access to the notification listener service, the malware can […] remove the notification.”
Now, the victim has no idea that they’ve been signed up for unwanted premium services until they check their monthly phone bill. Among those who pay without looking, this deceptive scheme can go on for months — even years.
How to avoid it
This nasty Android bug can end up on your phone if you unwittingly download an inauthentic, malware-injected app masquerading as a legitimate platform in the Google Play Store. They’re often pretending to be “cleaners” (eg phony antivirus apps), photography apps, chat and messaging platforms, and personalization apps.
How do you know if an app is fake? If it’s asking for permission to utilize a function that doesn’t align with its purpose, something’s up (eg, a “photography app” asking for SMS privileges).
Toll fraud malware isn’t new, but Microsoft warns that it’s still continuing to evolve over time. It’s worth noting that this vulnerability only affects users with phones that run Android 9.0 or older. As such, simply updating your device should suffice. If you can’t run any updates on it, check out our best mobile security apps page.