Older Android phones are a known security risk, but recent research from Microsoft’s 365 Defender Research Team shows just how vulnerable the outdated devices are vulnerable to a serious form of malware known as “toll fraud.”
Toll fraud malware hides in normal-looking apps, quietly signing up users for premium subscription services through the user’s phone service. We’re not talking covert Netflix subs, here: Instead, victims are signed up for useless services that can cost hundreds of dollars or more each year.
Microsoft’s research shows devices running Android 9 and older are the most at risk for such attacks, but we’ve seen similar exploits affect newer versions of Android as well. Worse, hackers are constantly changing how these attacks work, allowing malicious apps to circumvent Google Play’s security measures. That means there could be scores of toll fraud apps (along with other types of malware) hiding in the Google Play Store listings right now—which is why it’s important for all Android users to know how to spot the problem before it becomes one.
What is toll fraud?
Microsoft has a comprehensive breakdown of how toll fraud works, but the common attack happens in three stages.
First, the user downloads a seemingly safe app from Google Play or a third-party app distributor. Once the app is installed, it updates itself with new, malicious code that would normally flag Google Play’s security checks.
Once updated, the app performs the second phase of the attack, which includes a few different steps, such as using fake login pages and a Wireless Application Protocol (WAP) to sign you up for the unwanted services. (WAPs are a legitimate tool apps use to sign users up for services through their phone service rather than through a payment card or other billing options, but they’re clearly prone to abuse.)
Since WAPs require a cellular connection, the fraudulent app will often wait for the infected device to use wireless data instead of wifi connections. In some cases, these apps will even force the phone to connect to cellular data, even if a wifi connection is available.
For the last part of the attack, the app intercepts and blocks SMS confirmation—the messages you’d normally receive after signing up to WAP services legitimately—so you won’t know anything is wrong until you check your phone bill and see the unexpected transactions.
How to prevent toll fraud malware attacks
Toll attacks like this happen silently in the background, making them extremely difficult to catch. Microsoft’s research team outlined ways Google can continue to enhance its security features to prevent toll fraud and similar forms of malware, but there are also few ways users can prevent these attacks on their own.
Obviously, the most important thing is to keep your devices updated with the latest versions of Android and all security patches. As we mentioned above, devices running Android 9 and earlier are the most at risk. If possible, update to Android 10 or later and install the latest security patches available to you.
Of course, updating to a newer version of Android isn’t possible for all devices, and buying a new phone to replace your outdated one may not be either. Plus, we’ve seen similar attacks on newer versions of Android, such as the “Joker” malware; it’s also possible (indeed, likely) that new forms of toll fraud could target newer Android phones in the future.
That’s why you should always thoroughly vet an app before downloading. Read reviews (not just the top-rated, but the low ratings, too), research the app online, and only download apps from trusted sources. Similarly, installing a trustworthy anti-malware app may allow you to intercept sketchy apps before they can do anything.
That said, many shady apps do look legit, which is why you still need to watch for red flags after installing an app. Common characteristics of malicious apps and trojans include:
- Seemingly random login pages requesting to link a social media or email account.
- Unnecessary app permissions.
- Requests to install additional software or updates that don’t come through the Google Play store.
That’s not an exhaustive list, but they’re common indicators of an unsafe app. Be sure to check our guides on spotting other types of internet scams and malware for more tips.