【Dear Utol (2025): Chick! Episode 47】

Android users are Dear Utol (2025): Chick! Episode 47being attacked by malware that unwittingly purchases premium subscription services that they did not want or sign up for, according to a blog from Microsoft Security.

In a report from Microsoft researchers Dimitrios Valsamaras and Sang Shin Jung, the pair detailed the continuing evolution of "toll fraud malware" and the ways it attacks Android users and their devices. According to the team, toll fraud malware falls under the subcategory of billing fraud "in which malicious applications subscribe users to premium services without their knowledge or consent" and "is one of the most prevalent types of Android malware."

Toll fraud works over the Wireless Application Protocol (WAP), which allows consumers to subscribe to paid content and add the charge to their phone bill. Because this attack relies on a cellular network to do the dirty business, the malware might disconnect you from Wi-Fi or use other means to force you onto your cellular network. While connecting to the cellular network the malware will start subscribing to premium services while also hiding any one-time passwords (OTP) sent to verify your identity. This is to keep targets in the dark so that they don't unsubscribe.

The evolution of toll fraud malware from its dial-up days presents a dangerous threat, researchers warn. The malware can lead to victims receiving significant mobile bill charges. Additionally, affected devices also have increased risk because the malware is able to evade detection and can achieve a high number of installations before a single variant can be removed.

How does this malware even end up on my device in the first place?

This type of attack starts when a user downloads whatever app the malware is disguised as in the Google Play Store. These trojan apps will usually be listed in popular categories in the app store such as personalization (wallpaper and lock screen apps), beauty, editor, communication (messaging and chat apps), photography, and tools (like cleaner and fake antivirus apps). The researchers say that these apps will ask for permissions that don't make sense for what is being done (i.e. a camera or wallpaper app asking for SMS or notification listening privileges).

The purpose of these apps is to be downloaded by as many people as possible. Valsamaras and Shin Jung identified some common ways in which attackers will try to keep their app on the Google Play Store:

1. Upload clean versions until the application gets a sufficient number of installs.

2. Update the application to dynamically load malicious code.

3. Separate the malicious flow from the uploaded application to remain undetected for as long as possible.

What can I do to protect against malware?

Valsamaras and Shin Jung say that potential malware in the Google Play Store has common characteristics one can look for before downloading an app. As stated above some apps will ask for excessive permissions for programs that don't require such privileges. Other characteristics to be on the lookout for are apps with similar UIs or icons, developer profiles that look fake or have poor grammar, and if the app has a slew of bad reviews.

• Google warns of 'hermit spyware' infecting Android and iOS devices
• What is Hermit spyware and how do you protect yourself from it?
• Beware, Google Play Store gets caught distributing malware
• PSA: Don't use your pet's name as your password

If you believe you've already downloaded a potential malware app, some common signs include rapid battery drain, connectivity issues, overheating constantly, or if the device is running much slower than normal.

The pair also warned of not sideloading any apps that you can't get officially in the Google Play Store, as this can increase the risk of infection. Their findings showed that toll fraud malware accounted for 34.8% of installed "Potentially Harmful Application" (PHA) from the Google Play Store in the first quarter of 2022, second only to spyware.

According to a Google transparency report, it says that most of the installations originated from India, Russia, Mexico, Indonesia, and Turkey.