Toll fraud malware is similar to billing fraud; it triggers the subscription of users to premium services without their knowledge or consent. Microsoft have called toll fraud “one of the most prevalent types of Android malware”, emphasising why it is important to keep informed about this actively evolving threat. Users of Android 9.0 or lower have specifically been targeted by this form of attack, when users are tricked into installing malicious apps. 

Despite the fact this type of malware first became well known in 2017, Microsoft have identified a lack of understanding amongst the public over how toll fraud malware works, and its prevalence. Microsoft’s security blog issued an in-depth look at the toll fraud malware that currently affects Android users to help people understand this threat and how to mitigate it.  

The most common toll fraud attack uses Wireless Application Protocol (WAP), a billing payment mechanism that allows subscription service charges to be billed directly to the user’s mobile phone bill. In a true case of a user subscribing to a premium service, the phone and premium service provider communicate in multiple steps, which begin with the user clicking the subscribe link (usually HTML-based) and can sometimes include a one-time passcode (OTP) being sent to the user’s phone, which needs to be sent back to the service provider in order to confirm the subscription.  

In toll fraud, the malware disables the user’s Wi-Fi by abusing the setWifiEnabled method of the WifiManager class. This is possible if the permissions of ACCESS_WIFI_STATE and CHANGE_WIFI_STATE are set to normal protections. Network status is monitored by the NetworkCallback, and also retrieves a networktype variable that can bind the process to a chosen network through the ConnectivityManager.bindProcessToNetwork function, which causes the malware to use the mobile network even when a Wi-Fi connection is available. 

Once the malware has ensured the phone is communicating via the mobile network only, it then communicates with a C2 server to receive a list of subscription services. The malware silently navigates to the subscription page and auto-clicks the subscription button though a JavaScript injection. An HTML cookie is dropped to ensure each service is only subscribed to once so as not to cause an error. If an OTP is sent to validate the subscription, this is intercepted by the malware, and sent to the service provider to continue the subscription. The malware has been designed so that is can intercept both HTTP and USSD protocol so that it captures all possible OTPs. It also then disables SMS notifications, so that the user is not made aware of this subscription in the future.  

To mitigate the threat of toll fraud malware, users should be wary of permissions requested by apps upon download. Any app that asks for permissions to read or send SMS messages or asks for accessibility permissions should raise immediate red flags. Apps should only be downloaded from trusted sources such as the Google Play Store in order to avoid apps with malicious intent. Installing endpoint protection on Android devices can also help detect malware and prevent the abuse of permissions that makes toll fraud possible.