WAPDropper malware abuses Android devices for WAP fraud

Security researchers have detected a new strain of Android malware being currently distributed in the wild. This new malware is named WAPDropper. It spread via malicious apps hosted on third-party app stores. 

 

Once the malware infects a user, it starts signing them up for premium phone numbers that charge large fees for various types of services. The result is that all infected users would receive large phone bills each month. It can be continued until the user unsubscribed from the premium number or reported the issue to their mobile provider.

 

This type of multi-function malware stealthily installs onto a user's phone and then downloads further malware, has been a key mobile infection trend.

 

This type of tactic is known as "WAP fraud." It was very popular in the late 2000s and early 2010s, died out with the rise of smartphones, but malware authors realized that many modern phones and telcos still supported the older WAP standard.

Researchers observed that malware primarily targeting users located in Southeast Asia. They say the malware authors are most likely based or collaborating with someone in Thailand or Malaysia. 

 

In these schemes, the hackers and the owners of the premium-rate numbers are either co-operating or could even be the same group of people.

What the malware is?

It's simply a numbers game: the more calls made using the premium-rate services, the more revenue is generated for those behind the services. Everybody wins, except the unfortunate victims of the scam.

The malware, WAPDropper operated using two different modules. The first was known as a dropper, while the second module was the component that performed the actual WAP fraud.

The module starts working sequentially. Dropper was packed inside the malicious apps, primarily to reduce the size and fingerprint of any malicious code inside them. Once the apps were downloaded and installed on a device, this module would download the second component and start defrauding victims.

The malware also found inside apps named "af," "dolok," an email app called "Email," and a kid’s game named "Awesome Polar Fishing."

Although this malware drops a premium dialler right now, but in the future this payload can change to drop whatever the attacker wants.

Recommendations:

  • Users are recommended to download apps only from the official Google Play Store.
  • Users who installed any of listed malicious apps from outside the Play Store are advised to remove them from their devices as soon as possible.
  • Pay attention to your calling activities.
  • Make sure do not sign up with your phone number, if it is not required.
  • Users are advised to create an account by using their temporary email id.