A blast from the past: Mobile trojans abusing WAP-billing services
Fraudsters now piggybacking on 2.5G mobile tech
Crooks slinging mobile trojans have reverted to old techniques by stealing users' money through WAP-billing services.
The "unusual" rise in mobile trojan clickers that steal money from Android users through Wireless Application Protocol (WAP) billing has been tracked by security researchers at Kaspersky Lab. The unexpected trend had been in evidence for a while, but in Q2 of 2017 it became surprisingly common, with thousands of affected users in different countries across the globe, mainly in India and Russia, according to Kaspersky Lab.
WAP billing has been widely used by mobile network operators for paid services and subscriptions for many years. This form of mobile payment charges costs directly to the user's mobile phone bill, avoiding the need for bank card registration or a sign-up process.
The technology normally works by redirecting users to a different web page where the user activates a subscription and their mobile account is charged.
Cybercrooks are abusing this legitimate technology by developing trojans that covertly subscribe to "services" owned and controlled by fraudsters. A simple registration of domains in a mobile operator's billing system allows fraudsters to connect their website to a WAP-billing service. As a result, money from a victim's account is siphoned off to line the pockets of fraudsters.
"We haven't seen these types of [WAP-billing service] trojans for a while," said Roman Unuchek, security expert at Kaspersky Lab. "The fact that they have become so popular lately might indicate that cybercriminals have started to use other verified techniques, such as WAP-billing, to exploit users. Moreover, a premium rate SMS trojan is more difficult to create. It is also interesting that malware has targeted mainly Russia and India, which could be connected to the state of their internal, local telecoms markets. However, we have also detected the trojans in South Africa and Egypt."
Some trojan families, such as Autosus and Podec, exploit Device Administrator rights, making them harder to delete.
Michael Covington, VP of product strategy at Wandera, said: "While we have certainly seen examples of malware that targets users of WAP-billing services, it is not the most prevalent threat that we see on mobile. In fact, the class of malware that we currently see in broad distribution is adware. It seems that many attackers are simply going after a quick payday and mobile adware, much like spam was on email, provides the easiest way to profit from mass distribution."
To become active through mobile internet, all WAP-billing mobile trojan versions are able to turn off Wi-Fi and turn on mobile data, as explained in a blog post by Kaspersky Lab here. ®