Compared to other subcategories of billing fraud, which include SMS fraud and call fraud, toll fraud has unique behaviours.
According to Microsoft 365 Defender research team, whereas SMS fraud or call fraud use a simple attack flow to send messages or calls to a premium number, toll fraud has a complex multi-step attack flow that malware developers continue to improve.
“For example, we saw new capabilities related to how this threat targets users of specific network operators. It performs its routines only if the device is subscribed to any of its target network operators,” warned the company.
It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available.
Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user`s consent, in some cases even intercepting the one-time password (OTP) to do so.
“It then suppresses SMS notifications related to the subscription to prevent the user from becoming aware of the fraudulent transaction and unsubscribing from the service,” Microsoft explained.
Another unique behaviour of toll fraud malware is its use of dynamic code loading, which makes it difficult for mobile security solutions to detect threats.
Despite this evasion technique, the team identified characteristics that can be used to filter and detect this threat.
“We also see adjustments in Android API restrictions and Google Play Store publishing policy that can help mitigate this threat,” said the company.
“A rule of thumb is to avoid installing Android applications from untrusted sources (sideloading) and always follow up with device updates,” Microsoft advised.
“Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it,” it added.