- Forcing cellular communication<\/a><\/li>
- Fetching premium service offers and initiating subscriptions<\/a><\/li>
- Intercepting OTPs<\/a><\/li>
- Suppressing notifications<\/a><\/li>
- Using dynamic code loading for cloaking<\/a><\/li><\/ul><\/li>
- Mitigating the threat of toll fraud malware<\/a>
- Identifying potential malware<\/a><\/li>
- Improving Android security and privacy<\/a><\/li><\/ul><\/li><\/ul>\n\n\n\n
The WAP billing mechanism: An overview<\/h2>\n\n\n\n
To understand toll fraud malware, we need to know more about the billing mechanism that attackers use. The commonly used type of billing in toll fraud is Wireless Application Protocol (WAP). WAP billing is a payment mechanism that enables consumers to subscribe to paid content from sites that support this protocol and get charged directly through their mobile phone bill. The subscription process starts with the customer initiating a session with the service provider over a cellular network and navigating to the website that provides the paid service. As a second step, the user must click a subscription button, and, in some cases, receive a one-time password (OTP) that has to be sent back to the service provider to verify the subscription. The overall process is depicted below:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-1-the-wap-billing-process-in-a-nutshell.png\")
Figure 1. The WAP billing process in a nutshell<\/figcaption><\/figure>\n\n\n\n It should be noted that the process depends on the service provider, thus not all steps are always present. For example, some providers do not require an OTP, which means that the mobile user can subscribe to a service by simply clicking the subscription button while the device is connected to a cellular network. <\/p>\n\n\n\n
Fraudulent subscriptions via toll fraud<\/h2>\n\n\n\n
We classify a subscription as fraudulent when it takes place without a user’s consent. In the case of toll fraud, the malware performs the subscription on behalf of the user in a way that the overall process isn\u2019t perceivable through the following steps:<\/p>\n\n\n\n
- Disable the Wi-Fi connection or wait for the user to switch to a mobile network<\/li>
- Silently navigate to the subscription page<\/li>
- Auto-click the subscription button<\/li>
- Intercept the OTP (if applicable)<\/li>
- Send the OTP to the service provider (if applicable)<\/li>
- Cancel the SMS notifications (if applicable)<\/li><\/ol>\n\n\n\n
One significant and permissionless inspection that the malware does before performing these steps is to identify the subscriber’s country and mobile network through the mobile country codes (MCC) and mobile network codes (MNC). This inspection is done to target users within a specific country or region. Both codes can be fetched by using either the TelephonyManager<\/em>or the SystemProperties<\/em>class. The TelephonyManager.getSimOperator()<\/em> API call returns the MCC and MNCcodes as a concatenated string, while other functions of the same class can be used to retrieve various information about the mobile network that the device is currently subscribed to. As the network and SIM operator may differ (e.g., in roaming), the getSimOperator<\/em>function is usually preferred by malware developers.<\/p>\n\n\n\n
The same type of information can be fetched by using the SystemProperties.get(String key)<\/em> function where the key parameter may be one or several (using multiple calls) of the following strings: gsm.operator.numeric, gsm.sim.operator.numeric, gsm.operator.iso-country, gsm.sim.operator.iso-country, gsm.operator.alpha, gsm.sim.operator.alpha<\/em><\/p>\n\n\n\n
The difference with the first call is that the android.os.SystemProperties<\/em> class is marked as @SystemApi<\/em>, therefore an application has to use Java reflection to invoke the function. The MNC and MCC codes are also used to evade detection, as the malicious activity won\u2019t be performed unless the SIM operator belongs to the ones targeted:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-2-joker-malware-running-its-payload-targeting-south-african-mobile-operators-62bca491a07eb.png\")
Figure 2. Joker malware running its payload, targeting South African mobile operators<\/em><\/figcaption><\/figure>\n\n\n\n The following sections present an analysis of the fraudulent subscription steps in the context of the Android operating system. This analysis can help identify the API calls and the permissions needed for the implementation of a toll fraud scheme.<\/p>\n\n\n\n
Forcing cellular communication<\/h3>\n\n\n\n
Variants of toll fraud malware targeting Android API level 28 (Android 9.0) or lower disable the Wi-Fi by invoking the setWifiEnabled <\/em>method of the WifiManager <\/em>class. The permissions needed for this call are ACCESS_WIFI_STATE<\/em> and CHANGE_WIFI_STATE<\/em>. <\/strong>Since the protection level for both permissions is set to normal, they are automatically approved by the system.<\/p>\n\n\n\n
Meanwhile, malware targeting a higher API level uses the requestNetwork<\/em> function of the ConnectivityManager<\/em>class. The Android developers page<\/a> describes the requestNetwork method <\/em>as:<\/p>\n\n\n\n
This method will attempt to find the best network that matches the given NetworkRequest, and to bring up one that does if none currently satisfies the criteria. The platform will evaluate which network is the best at its own discretion. Throughput, latency, cost per byte, policy, user preference and other considerations may be factored in the decision of what is considered the best network.<\/em><\/p>\n\n\n\n
The required permission for this call is either CHANGE_NETWORK_STATE<\/em> (protection level: normal) or WRITE_SETTINGS<\/em>(protection level: signature|preinstalled|appop|pre23), but since the latter is protected, the former is usually preferred by malware developers. In the code snippet depicted below from a malware sample that can perform toll fraud, the function vgy7<\/em>is requesting a TRANSPORT_CELLULAR<\/em> transport type (Constant Value: 0x00000000) with NET_CAPABILITY_INTERNET<\/em> (Constant Value: 0x0000000c):<\/em><\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-3-code-from-a-joker-malware-sample-requesting-a-transport-cellular-transport-type.png\")
Figure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport type<\/em><\/figcaption><\/figure>\n\n\n\n Figure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport type<\/em><\/p>\n\n\n\n
The NetworkCallback<\/em>is used to monitor the network status and retrieve a network<\/em>type variable that can be used to bind the process to a particular network via the ConnectivityManager.bindProcessToNetwork<\/em>function. This allows the malware to use the mobile network even when there is an existing Wi-Fi connection. The proof-of-concept code depicted below uses the techniques described above to request a TRANSPORT_CELLULAR<\/em> transport type. If the transport type is available, it binds the process to the mobile network to load the host at example.com in the application\u2019s WebView:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-4-proof-of-concept-code-to-request-a-transport-cellular-transport-type.png\")
Figure 4. Proof-of-concept code to request a TRANSPORT_CELLULAR transport type<\/em><\/figcaption><\/figure>\n\n\n\n While it is expected that the Wi-Fi connection is preferred even when mobile connection is also available, the process exclusively uses the cellular network to communicate with the server:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-5b-the-mobile-browser-loads-example-com-when-transport-cellular-transport-type-is-available.png\")
Figure 5. The mobile browser loads example.com when TRANSPORT_CELLULAR transport type is available and loads a blank page when only Wi-Fi is available<\/em><\/figcaption><\/figure>\n\n\n\n In fact, the user must manually disable mobile data to prevent the malware from using the cellular network. <\/strong>Even though the setWifiEnabled<\/em>has been deprecated, it can still be used by malware targeting API level 28 or lower.<\/p>\n\n\n\n
Fetching premium service offers and initiating subscriptions<\/h3>\n\n\n\n
Assuming that the SIM operator is on the target list and the device is using a TRANSPORT_CELLULAR<\/em>type network, the next step is to fetch a list of websites offering premium services and attempt to automatically subscribe to them.<\/p>\n\n\n\n
The malware will communicate with a C2 server to retrieve a list of offered services. An offer contains, between else, a URL which will lead to a redirection chain that will end up to a web page, known as landing page.<\/p>\n\n\n\n
What happens next depends on the way that the subscription process is initiated, thus the malware usually includes code that can handle various subscription flows. In a typical case scenario, the user has to click an HTML element similar to the one depicted below (JOIN NOW), and as a second step, send a verification code back to the server:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-6-a-subscription-page-thats-loaded-in-the-background-without-the-users-knowledge.png\")
Figure 6. A subscription page that\u2019s loaded in the background without the user\u2019s knowledge.<\/em><\/figcaption><\/figure>\n\n\n\n For the malware to do this automatically, it observes the page loading progress and injects JavaScript code designed to click HTML elements that initiate the subscription. As the user can only subscribe once to one service, the code also marks the HTML page using a cookie to avoid duplicate subscriptions. The following is an example of such a code:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-7-javascript-injected-code-scraping-related-html-elements.png\")
Figure 7. JavaScript injected code scraping related HTML elements<\/em><\/figcaption><\/figure>\n\n\n\n On line 76, getElementsByTagName<\/em>returns a collection of all the Document Object Model (DOM) elements tagged as input<\/em>. The loop on line 78 goes through every element and checks its type<\/em>as well as its name<\/em>, value,<\/em> and alt<\/em>properties. When an element is found to contain keywords, such as \u201cconfirm\u201d, \u201cclick\u201d, and \u201ccontinue\u201d, it is sent to the c<\/em>function, as depicted below:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-8-javascript-function-simulating-clicks-on-selected-html-elements-62bcbdc36d81e.png\")
Figure 8. JavaScript function simulating clicks on selected HTML elements<\/em><\/figcaption><\/figure>\n\n\n\n The if<\/em> statement on line 36 checks if the element has already been clicked by calling the jdh <\/em>function, displayed below in Figure 12. Finally, the c <\/em>function invokes the click()<\/em> or submit()<\/em> function by the time the branch on line 37 (see figure 11) is followed:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-9-javascript-code-checking-if-the-page-has-already-been-visited.png\")
Figure 9. JavaScript code checking if the page has already been visited<\/em><\/figcaption><\/figure>\n\n\n\n The HTML page loading process is tracked using an onPageFinished<\/em>callback of the WebViewClient<\/em>attached to the WebView. Subsequently, a handler that listens for relative message types acts depending on the next steps that are required for the subscription to take place. In the code snippet below, the URL loaded in the WebView and a signal<\/em>with id<\/em> \u201c128\u201dis sent to handler2<\/em>to evaluate the service and initiate the subscription process:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-10-malware-evaluating-the-steps-required-to-initiate-the-subscription-process.png\")
Figure 10. Malware evaluating the steps required to initiate the subscription process<\/em><\/figcaption><\/figure>\n\n\n\n Multi-step or target subscription processes may require additional verification steps. The handler depicted below checks the page URL loaded in the WebView. If the URL matches doi[.]mtndep.co.za\/service\/,<\/em> then the handler runs the JavaScript code assigned to the Properties.call_jbridge_dump<\/em> variable:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-11-malware-running-code-depending-on-certain-conditions.png\")
Figure 11. Malware running code depending on certain conditions<\/em><\/figcaption><\/figure>\n\n\n\n A signal<\/em> with id<\/em> \u201c107\u201d triggers some additional steps that require communication with the command and control (C2) server. This case is demonstrated in the following figures:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-12-malware-running-code-depending-on-the-specific-signal-id.png\")
Figure 12. Malware running code depending on the specific signal id<\/em><\/figcaption><\/figure>\n\n\n\n Upon receiving the signal, the handler invokes the v1.bhu8<\/em> function:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-13-malware-attacking-anti-fraud-protection.png\")
Figure 13. Malware attacking anti-fraud protection<\/em><\/figcaption><\/figure>\n\n\n\n After checking for the web-zdm[.]secure-d[.]io\/api\/v1\/activate<\/em>in the server\u2019s reply, the malware invokes the tpack[.]l2.bhu8[.]vgy7 <\/em>function. This function sends the current URL loaded in the application\u2019s WebView as well as some extra information like country code, and HTML code:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-14-malware-sending-information-to-the-c2-server.png\")
Figure 14. Malware sending information to the C2 server<\/em><\/em><\/figcaption><\/figure>\n\n\n\n ![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-15-a-solver-type-service-offered-by-the-c2-server.png\")
Figure 15. A solver-type service offered by the C2 server<\/em><\/figcaption><\/figure>\n\n\n\n Intercepting OTPs<\/h3>\n\n\n\n
In most cases, the service provider sends an OTP that must be sent back to the server to complete the subscription process. As the OTP can be sent by using either the HTTP or USSD protocol or SMS, the malware must be capable of intercepting these types of communication. For the HTTP protocol, the server\u2019s reply must be parsed to extract the token. For the USSD protocol, on the other hand, the only way to intercept is by using the accessibility service.<\/p>\n\n\n\n
One method of intercepting an SMS message, requiring android.permission.RECEIVE_<\/em>SMS<\/em> permission, is to instantiate a BroadcastReceiver<\/em> that listens for the SMS_<\/em>RECEIVED action.<\/p>\n\n\n\n
The following code snippet creates a BroadcastReceiver<\/em>and overrides the onReceive<\/em>callback of the superclass to filter out messages that start with \u201crch\u201d:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-16-code-that-filters-out-sms-messages-that-start-with-rch.png\")
Figure 16. Code that filters out SMS messages that start with \u201crch\u201d<\/em><\/figcaption><\/figure>\n\n\n\n Subsequently, it creates an IntentFilter<\/em>, which renders the receiver capable of listening for an SMS_RECEIVED<\/em> action, and finally the receiver is registered dynamically:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-17-the-intentfilter-enabling-the-receiver-to-listen-for-an-smsreceived-action-62bcbc599e278.png\")
Figure 17. The IntentFilter enabling the receiver to listen for an SMS_RECEIVED action<\/em><\/figcaption><\/figure>\n\n\n\n To handle OTP messages that are sent using the HTTP protocol, the malware parses the HTML code to search for keywords indicating the verification token. The following code contains a flow where the extracted token is sent to the server using the sendTextMessage<\/em> API call:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-18-extracted-token-is-sent-to-the-c2-server-using-the-sendtextmessage-api-call.png\")
Figure 18. Extracted token is sent to the C2 server using the sendTextMessage API call<\/em><\/figcaption><\/figure>\n\n\n\n The additional permission that is required to enable this flow is SEND_SMS<\/em>.<\/p>\n\n\n\n
Another way of intercepting SMS messages is to extend the NotificationListenerService<\/em><\/a>. This service receives calls from the system when new notifications are posted or removed, including the ones sent from the system\u2019s default SMS application. The code snippet below demonstrates this functionality:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-19-extending-the-notificationlistenerservice-service.png\")
Figure 19. Extending the NotificationListenerService service<\/em><\/figcaption><\/figure>\n\n\n\n
- Improving Android security and privacy<\/a><\/li><\/ul><\/li><\/ul>\n\n\n\n
- Fetching premium service offers and initiating subscriptions<\/a><\/li>
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-20-logcat-output-after-a-notification-is-posted.png\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-21-the-proof-of-concept-code-monitoring-for-incoming-sms-messages-through-smsobserver.png\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-22-the-function-where-the-entry-point-of-the-malware-leads-to.png\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-23-query-result-when-searching-for-355.png\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-24-the-nsj-function.png\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-25-fetching-the-second-payload-from-the-assets-directory.png\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-26-decrypting-the-assets-file.png\")
![\"\"](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-27-the-native-handletask-called-from-the-Java-code.png\")
<\/figure>\n\n\n\n![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-28-dynamically-loading-the-decrypted-asset-using-the-dexclassloader.png\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-29-the-decrypted-apk-file.png\")