Microsoft Issues a Warning Regarding Increasing Toll Fraud Android Malware App Capabilities


Microsoft has described the expanding capabilities of Android toll fraud malware applications, highlighting their “complicated multi-step attack cycle” and enhanced security analysis evasion technique.

Toll fraud is a type of billing fraud in which deceptive mobile applications lure unwary users into paying for premium content without their knowledge or agreement.

Furthermore, it compels devices to connect to the mobile network even when a Wi-Fi connection is available, according to a thorough examination by Dimitrios Valsamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team.

Once the target network connection is established, the malware covertly starts a fraudulent subscription and verifies it without the user’s knowledge. In certain situations, it even uses the one-time password (OTP) to achieve this.

In order to prevent the victims from learning about the fraudulent transaction and terminating their membership to the service, such applications are also known to block SMS alerts connected to the subscription.

Toll fraud mostly makes use of the payment mechanism that lets users pay for services on websites that use the Wireless Application Protocol (WAP). The customers’ mobile phone bills are immediately charged with the membership cost, eliminating the need to set up a credit or debit card or provide a login and password.

“If the user connects to the internet through mobile data, the mobile network operator can identify him/her by IP address,” Kaspersky noted in a 2017 report about WAP billing trojan clickers. “Mobile network operators charge users only if they are successfully identified.”

Before activating the service, certain providers may additionally request OTPs as an additional layer of subscription confirmation.

According to the researchers, “in the instance of toll fraud, the virus conducts the subscription on the user’s behalf in a way that the total process isn’t perceptible.” To get a list of available services, the virus will “connect with a [command-and-control] server.”

This is done by first turning off Wi-Fi and turning on mobile data, then secretly subscribing to the service using JavaScript, and last intercepting and delivering the OTP code (if necessary) to finish the process.

In order to start the subscription programmatically, the JavaScript code is made to click on HTML elements that have the keywords “confirm,” “click,” and “proceed.”

When a fraudulent subscription is successful, the malware either hides the subscription notification messages or exploits its SMS rights to erase incoming text messages from the mobile network provider that carry information about the subscribed service.

Toll fraud malware is also known to hide its malicious activity using dynamic code loading, an Android feature that permits apps to download extra modules from a remote server while they are running, making it easy for bad actors to take advantage of.

In terms of security, this also implies that a virus creator can design an app so that the rogue functionality is only loaded under specific conditions, thereby circumventing static code analysis tests.

Google states in its developer guidance on potentially hazardous apps that “if an app permits dynamic code loading and the dynamically loaded code is harvesting text messages, it will be categorized as a backdoor virus” (PHAs).

Toll fraud applications made up 34.8% of all PHAs downloaded from the Android app store in the first quarter of 2022, ranking second only to malware in terms of install rate at 0.022 percent. The majority of the installations came from Turkey, Mexico, India, Russia, and Indonesia.


Users should only download apps from the Google Play Store or other reliable sources to reduce the risk of toll fraud virus, avoid giving apps too many rights, and think about switching to a new device if their current one stops receiving software updates.

Leave A Reply

Please enter your comment!
Please enter your name here