The malware Telephone fraud is one of the threats that continues to proliferate the most in Android. As warned from microsoft, a security threat is spreading in devices with this operating system which is based on phone malware. Attackers disable the network Wifi Y subscribe the user to premium services.
To carry out this threat, the cyber criminals they trick victims into calling or sending an SMS to a premium number, ie they have an additional charge and a higher cost. Those who fall for this scam, they are subscribed to a paid service and begin to receive charges on their telephone bills.
One of the characteristics of this fraud is that does not work when users are connected to Wifi networks, therefore, they force users to connect to the network of the mobile operator to which they are subscribed.
In this way, when the user sends that SMS or calls the premium phone, the malware acts automatically and, without the user being aware, disable the Wi-Fi network for the user to connect to the mobile network.
Once this step is done, launches the Premium services subscription page, intercepting OTP one-time codes, suppressing notifications and SMS that could alert the user that they are being subscribed to these services.
How does this malware manage to disable the Wi-Fi network?
The malware uses Android features to monitor network status and prevents you from connecting to Wi-Fi, forcing the device to be connected to the mobile network.
On Android 9 (API level 28) or lower, this is possible with a normal protection permission level. For a higher API level, there is the ‘requestNetwork’ function that is included in the CHANGE_NETWORK_STATE permission, which also comes with a normal level of protection.
With this malware, cybercriminals manage to get hold of the data of the victims, such as the operator you are subscribed to or the country in which you are located.
This is how this phone malware works
Microsoft has shared more technical details of this malware in a report highlighting that it works over the Wireless Application Protocol (WAP), which allows that subscription to paid content that is charged to the telephone bill.
According to the company, the malware does all these steps automatically without the user realizing it:
1. Disable Wi-Fi connection or wait for the user to switch to a mobile network.
2. Later, navigate to the subscription page and click automatically click the button to subscribe intercepting the OTP, subscription confirmation code, and cancel SMS notifications.
Another interesting aspect is that the malware uses ‘NetworkCallbak’ to monitor the state of the network and obtain the ‘networktype’ variable to link the process to a specific network, which forces the device to ignore an available Wi-Fi connection and use the mobile operator’s.
The only way the user can prevent this is to manually disable mobile data. If the victim’s mobile operator is on the target list, the malware proceeds to search for a list of websites that provide premium services and tries to subscribe to them automatically.
While there are multiple underwriting scenarios, users typically click on an HTML element and then send a verification code to the server. Microsoft notes that additional verification may sometimes be required. The malware samples from phone fraud that the company has analyzed also have methods to achieve it.
Some operators terminate the subscription only after verifying that the user has authorized it via an OTP code delivered via SMS, HTTP, or USSD (Unstructured Supplementary Service Data).
Recommendations to avoid this malware
To avoid being victims of this new threat on Android, it is essential to carry out a series of practices that guarantee cybersecurity:
– Have a antivirus for the mobile device is a good start.
– Keep cell phones up to date so that any security breach is fixed.
– Do not download files from senders unreliable.
– Don’t press on suspicious links.
– Do not install Applications Yes It is not from official stores.
– Prevent allowing apps to read or send SMS, access notifications or log in unless these permissions are required for normal operation.
