Security Experts:

WAP Billing Trojans Threaten Android Users

Several of the pieces of malware targeting Android devices in the second quarter of 2017 abused WAP billing to help cybercriminals make money, Kaspersky reported on Thursday.

Wireless Application Protocol (WAP) billing provides a mechanism for users to acquire content online and have it charged directly to their mobile phone bill so that they don’t have to provide any payment card information. The method is similar to premium SMS services, but it does not involve sending SMS messages and instead users have to click on a button displayed on a website to approve charges.

Android malware abusing WAP billing was spotted in the past years, including on Google Play, and it now appears to be making a comeback.

Several of the top 20 most common trojans detected by Kaspersky products in the second quarter abused WAP billing. While a majority of the infections were in Russia and India, victims were also seen in many other countries.

“We haven’t seen these types of Trojans for a while. The fact that they have become so popular lately might indicate that cybercriminals have started to use other verified techniques, such as WAP-billing, to exploit users,” said Roman Unuchek, security expert at Kaspersky Lab. “Moreover, a premium rate SMS Trojan is more difficult to create. It is also interesting that malware has targeted mainly Russia and India, which could be connected to the state of their internal, local telecoms markets.”

The list of trojans that abuse WAP billing include Trojan-Clicker.AndroidOS.Ubsod, which infected nearly 8,000 devices in Russia and 81 other countries; Xafekopy, which infected more than 5,000 users in India and 47 other countries; Autosus, which infected roughly 1,400 devices in India, South Africa and Egypt; and Podec, which had last been seen in the second quarter of 2016.

These pieces of malware have been used by several cybercrime groups, and while in some cases their development started in late 2016 or early 2017, their use increased significantly at the beginning of summer.

The samples analyzed by Kaspersky disable the infected device’s WiFi and enable the mobile data connection, which is needed due to the fact that WAP billing only works through mobile Internet as the carrier needs to be able to identify the user making the online purchase.

The trojans then use JavaScript code to automate certain actions, such as opening web pages and clicking on the buttons associated with WAP billing. By automating these tasks, no user interaction is required for the attack to work.

The malware also deletes incoming SMS messages to avoid raising suspicion. Some samples also abuse Device Administrator rights on the infected Android device to make their removal more difficult.

“We weren’t able to find a reason why so many cybercriminals decided to switch or to start attacking WAP-billing services at the same time,” Unuchek said. “WAP-billing services are not a new thing – in some countries they’ve existed for several years.”

Related: Android Malware Found on Google Play Abuses Accessibility Service

Related: Android Malware 'Dvmap' Delivered via Google Play

Related: SpyDealer Malware Steals Private Data From Popular Android Apps

view counter
Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.