Trojans exploit WAP subscriptions to steal money

How mobile Trojans exploit WAP billing to steal money, and how to protect yourself.

Do you remember what WAP is? Didn’t think so! WAP is a rather primitive excuse for mobile Internet. The tiny websites it can access show mostly text, and we visited them back when phones had just learned to transmit data.

Despite the fact that WAP has practically passed into oblivion, parts of the technology are still supported by mobile carriers. For example, some still support WAP billing, which allows users to pay for something right on a website directly from their mobile accounts.

WAP billing as a revenue source for cybercriminals

WAP billing has several problems. First of all, it is not quite transparent for the buyer. In theory, a page with WAP billing should display what exactly you are buying and how much you will pay; in practice, though, your mileage may vary.

Second, three parties participate in WAP-billing transactions simultaneously — that’s in addition to the buyer — the mobile operator, the payment service provider, and, finally, the content provider. (Having so many parties may complicate refunds, but that’s getting ahead of things.)

And most important, bank cards are not used for these payments. With lots of other scams, victims must be tricked into entering their bank information. With a WAP scam, victims don’t even need to have a bank account, but you can bet they all have access to a mobile account.

Essentially, what we’re looking at here is the same as sending premium-rate text messages. There is a small added detail, though: Malware that exploits WAP billing is less complicated than Trojans that send premium-rate SMS messages. Cyber-criminals do not even really have to teach their malware creations to gain the access they need for sending SMS messages; these Trojans are capable of staying under the radar and not asking for any special permissions such as access to Accessibility features.

Trojans that have learned to exploit WAP billing

The amenities of WAP billing have been actively abused by cyber-criminals, who have started adding to their malware the ability to open Web pages that have WAP billing and click buttons that initiate payments while the user suspects nothing. A researcher from Kaspersky Lab, Roman Unuchek, found that these Trojans started to appear more often than usual in Q2 2017.

One of the prime examples of such Trojans is the Ubsod family. This malware variety, which is detected as Trojan-Clicker-AndroidOS.Ubsod, works like this: From a command-and-control server, the Trojan receives the URL addresses of websites with buttons; after that, the Trojan visits the websites and clicks buttons to subscribe users to various unwanted paid services.

And because mobile operators typically send SMS messages with subscription notifications, the Trojan is trained to intercept and delete any SMS messages that contain the text “ubscri” or “одпи”, which are parts of the words “subscription” and “подписка” (“subscription” in Russian) respectively. It can also turn off Wi-Fi and switch a smartphone to mobile data. After all, WAP billing works only when a user connects to the Internet through mobile data — a Wi-Fi connection will not work for subscriptions in this case.

Another Trojan, which our products detect as Trojan-Dropper.AndroidOS.Ubsod, does the same, but it can also unpack files downloaded along with it and start them. And a third, Trojan-Banker.AndroidOS.Ubsod, in addition to everything mentioned above, knows some tricks typical to banking Trojans: how to overlay banking apps with phishing windows, execute commands, show advertisements, and send SMS messages.

Another rather popular piece of malware, Trojan-Clicker.AndroidOS.Xafekopy pretends to be a useful app, most often a battery optimiser for smartphones. It looks quite convincing; nothing in its UI reveals its malicious nature. But it clicks through WAP-billing URLs as well as advertisement URLs — Trojan authors often implement several methods of gaining profit in their malware.

You may realise that there is a WAP-billing Trojan-clicker residing on your mobile device only after noticing that all of the money in your mobile account is gone. Alternatively, your security solution can detect the malware and notify you of it.

How to protect your device from WAP-billing Trojans

1. Prohibit the installation of apps from unknown sources. This type of Trojan can be distributed through advertisements, and with this prohibition in place, you simply will not be allowed to install them. To block installation from unknown sources, go to Settings –> Security in your smartphone and uncheck Unknown sources. You can learn more about useful Android security settings in this article.

2. Your mobile network operator probably has some sort of self-service portal where you can find all active services, including your current WAP subscriptions. If your mobile account is running out of cash suspiciously fast, then open your carrier’s self-service page and check to see if you are subscribed to something paid and unwanted. Some mobile operators let subscribers disable WAP-billing services completely.

[kisa banner]

3. Install a reliable security solution on your mobile device. For example, Kaspersky Internet Security for Android is capable of detecting and neutralising the menagerie of malware mentioned above. The free version requires the user to run scans manually, whereas the paid version scans automatically, including when any new app is installed.