How an Android application can drain your wallet
The Wireless Application Protocol billing (WAP Billing) is a payment mechanism that enables consumers to subscribe to paid services and get charged directly to their mobile phone bill. To initiate a subscription process the user has to navigate to a website that offers the service, while the device is registered to a cellular network, and click on a designated subscription button. As a verification step, a one-time password is sent to the user which has to be submitted back to the service provider in order to confirm the subscription.
Billing fraud is one of the most prevalent types of Android malware that leverages weaknesses in the aforementioned process in order to automatically subscribe the users to paid services. With revenue reaching up to $10 billion dollars annually, it monopolizes the media spotlight since it found its way to a wider audience through the Google Play Store back in 2017. Up to this day it is still among the Potential Harmful Applications (PHA) with the highest install rate according to Google Play’s transparency report.
This paper focuses on Toll Fraud, a Billing Fraud subcategory and tries to shed some light on its behavioral model from a solid technical perspective. More specifically, we are investigating the evasion techniques used and the actions taken from the malware’s side in order to imitate the user and perform a fraudulent subscription. Finally, we propose improvements with regard to Antivirus detection as well as improvements to the operating system level in order to mitigate the issue.