After years of silence, WAP-billing trojans are making a comeback, with four new strains becoming active in the second quarter of 2017, targeting Russia and India primarily.
The four wave of trojans — Ubsod, Xafekopy, Autosus, and Podec — were discovered by Kaspersky Lab mobile security expert Roman Unuchek while gathering information for the company’s IT Threat Evolution Q2 2017 report.
Unuchek says he was aware that different cyber-crime groups were developing mobile trojans with the ability to perform covert WAP billing operations since the end of 2016, but he wasn’t expecting these tools to be deployed and featured so heavily in active campaigns.
WAP billers making a comeback
Trojans that perform fraudulent WAP billing were popular at the start of the 2000s when WAP was a popular method of paying for content online in the early stages of mobile networks.
Since then, WAP billing has been replaced by premium SMS numbers, and by mobile wallet solutions like the ones offered by PayPal, Apple Pay, Samsung Pay, and others.
Nonetheless, WAP billing is still supported by most operators and a slew of online services, especially in third world countries, where networks don’t support newer technologies.
Experts surprised by new wave of WAP billers
The Kaspersky expert says that during the second quarter of 2017, four different criminal groups deployed Android apps that performed surreptitious WAP billing operations.
These malware families were not pure WAP billing trojans, but also contained other features, like the ability to spy on targets, show ads, steal incoming messages, and others.
This is what surprised experts, as researchers expected these other features to be used primarily and not the WAP billing functions, as attackers could have very easily earned the same amount of money by subscribing users to premium SMS numbers or by showing ads on infected devices.
“We weren’t able to find a reason why so many cybercriminals decided to switch or to start attacking WAP-billing services at the same time,” Unuchek said about this mysterious wave of WAP billers.
One Bleeping Computer reader has a plausible explanation about why WAP billing rebecame popular once more.
Comeback targeting India is probably driven by late 2016 Indian moves to drive transactions on line for tax collection reasons.
— FutureIsNotThePast (@FutureNotPast) August 29, 2017
Four major campaigns spotted in June and July
At the technical level, the WAP-billing features worked just like they did in the past, by disabling WiFi, connecting via a mobile data connection (WAP works only via mobile data), using JavaScript to access WAP billing pages, and then clicking on the special billing button.
Unuchek says he spotted four major campaigns. The first, the Ubsod trojan — detected as Trojan-Clicker.AndroidOS.Ubsod — was active in July 2017, and infected around 8,000 users across 82 countries. The expert says that 72% of the infected users were from Russia.
The second wave — the Xafekopy trojan (Trojan-Clicker.AndroidOS.Xafekopy) — was also active in July, but infected only around 5,000 users in 48 countries, with 40% of victims residing in India.
The third trojan was Autosus (Trojan-Clicker.AndroidOS.Autosus.a) was also active in July 2017, but infected only around 1,400 users, with 38% of victims in India, and 31% in South Africa.
The fourth wave was active in June 2017 and spread the Podec trojan (Trojan-SMS.AndroidOS.Podec.a), a malware that was first spotted in 2014, and which was once more active in Russia.
As there is no way to disable WAP billing on users’ devices, the simplest way to avoid unwanted WAP transactions on your monthly phone bill is to avoid installing infected apps on your phone.
Image credits: Maxim Kulikov, Bleeping Computer