Kaspersky Lab researchers have discovered an unusual rise in mobile Trojan clickers that are stealing money from Android users through WAP-billing – a type of direct mobile payment taken without any additional registration.
Kaspersky Lab researchers have discovered an unusual rise in mobile Trojan clickers that are stealing money from Android users through WAP-billing – a type of direct mobile payment taken without any additional registration. This trend has not been observed for a while, but in Q2 of 2017 it became surprisingly common, with thousands of affected users in different countries across the globe, mainly in India and Russia.
Wireless Application Protocol (WAP) billing has been widely used by mobile network operators for paid services and subscriptions for many years. This form of mobile payment charges costs directly to the user’s mobile phone bill, without the need for bank card registration or a sign-up process. A user is usually redirected to a different web page via a button, and offered a range of additional services. By clicking on it, the user activates a subscription, and his mobile account is charged. In this current threat scenario, all of these actions can be easily implemented by a Trojan, which performs in secret and clicks on every page by itself. In addition, a simple registration of domains in a mobile operator’s billing system, allows fraudsters to relatively easy connect their website to a WAP-billing service. As a result, money from a victim's account flows directly to the hackers’ accounts.
Kaspersky Lab detected several popular Trojan families among the “TOP 20 mobile malware programs” using the WAP-billing service. To become active through mobile Internet, all Trojan versions are able to turn off Wi-Fi and turn on mobile data. The most popular Trojan, belonging to the Trojan-Clicker.AndroidOS.Ubsod malware family, receives URLs from its command and control server and opens them. According to KSN statistics, this Trojan infected almost 8 000 infected users from 82 countries, in July 2017.
Another popular mobile malware in this theft scenario uses Java Script files to click on buttons with WAP-billing. For instance, the Xafekopy Trojan, distributed through ads and masquerading as useful apps such as battery optimizers, can subscribe users to different services and steal their money. Kaspersky Lab experts also found that it shares some similarities with the Ztorg malware, which has also been recently reported by Kaspersky Lab. Like Ztorg, the Xafekopy is of Chinese-speaking origin.
Some Trojan families, such as Autosus and Podec exploit Device Administrator rights, making it harder to delete the Trojan. Moreover, by using JS files Trojans have capabilities to bypass CAPTCHA. For example, the Podec Trojan, which has been active since 2015. Based on Kaspersky Lab research it was the third most common Trojan in June 2017, among those exploiting WAP-billings, and is still active mainly in Russia.
“We haven’t seen these types of Trojans for a while. The fact that they have become so popular lately might indicate that cybercriminals have started to use other verified techniques, such as WAP-billing, to exploit users. Moreover, a premium rate SMS Trojan is more difficult to create. It is also interesting that malware has targeted mainly Russia and India, which could be connected to the state of their internal, local telecoms markets. However, we have also detected the Trojans in South Africa and Egypt”, says Roman Unuchek, security expert at Kaspersky Lab.
To prevent any malicious actions and to stay protected, Kaspersky Lab advises users to be attentive to apps installed on their devices, to avoid those from unknown sources, and to always keep their device updated with the latest security protection.
Kaspersky Lab also recommends that users install a reliable security solution on their device, such as Kaspersky Mobile Antivirus: Web Security & AppLock, which aims to protect users’ privacy and personal information from Android mobile threats.
Read more about mobile Trojans exploiting WAP-billings on Securelist.com.