New WAPDropper malware abuses Android devices for WAP fraud

New WAPDropper malware signs up Android users to premium services provided by telecoms in Thailand and Malaysia.

sms-phone.jpg

Security researchers have detected a new strain of Android malware being currently distributed in the wild, primarily targeting users located in Southeast Asia.

ZDNet Recommends

The best antivirus software and apps

A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses.

Read More

Discovered by security firm Check Point, this new malware is named WAPDropper and is currently spread via malicious apps hosted on third-party app stores.

Check Point said that once the malware infects a user, it starts signing them up for premium phone numbers that charge large fees for various types of services.

The end result is that all infected users would receive large phone bills each month until they unsubscribed from the premium number or reported the issue to their mobile provider.

This type of tactic, known as "WAP fraud," was very popular in the late 2000s and early 2010s, died out with the rise of smartphones, but made a comeback in the late 2010s as malware authors realized that many modern phones and telcos still supported the older WAP standard.

WAPDropper gang most likely based in SE Asia

Check Point says that based on the premium phone numbers used in this scheme, the malware authors are most likely based or collaborating with someone in Thailand or Malaysia.

"In this and similar schemes, the hackers and the owners of the premium rate numbers are either co-operating or could even be the same group of people," the company said today in a report.

"It's simply a numbers game: the more calls made using the premium-rate services, the more revenue is generated for those behind the services. Everybody wins, except the unfortunate victims of the scam."

As for the malware itself, Check Point says WAPDropper operated using two different modules. The first was known as a dropper, while the second module was the component that performed the actual WAP fraud.

The first module was the only one packed inside the malicious apps, primarily to reduce the size and fingerprint of any malicious code inside them. Once the apps were downloaded and installed on a device, this module would download the second component and start defrauding victims.

But Check Point also wants to raise a sign of alarm about this particular piece of malware.

"Right now, this malware drops a premium dialer, but in the future this payload can change to drop whatever the attacker wants," Aviran Hazum, Manager of Mobile Research at Check Point, told ZDNet.

"This type of multi-function 'dropper,' which stealthily installs onto a user's phone and then downloads further malware, has been a key mobile infection trend we've seen in 2020. These 'dropper' trojans represented nearly half of all mobile malware attacks between January and July 2020, with combined infections in the hundreds of millions globally.

"I expect the trend to continue as we turn the new year," Hazum added.

The Check Point researcher encouraged users to download apps only from the official Google Play Store.

The Check Point team also told ZDNet that for the time being, they found the WAPDropper malware inside apps named "af," "dolok," an email app called "Email," and a kids game named "Awesome Polar Fishing." Users who installed any of these apps from outside the Play Store are advised to remove them from their devices as soon as possible.