There's a nasty Android bug on the loose, according to the Microsoft 365 Defender Research Team (opens in new tab), and it can drain your bank account for months if you're not cognizant of its presence. The vulnerability, called toll fraud malware, facilitates billing fraud, allowing malicious actors to secretly sign you up for paid services on your behalf.
It gets worse! Sometimes, companies send text messages to subscribers to confirm payment, right? However, with this ugly Android bug, cybercriminals can suppress those text messages, ensuring that victims have no idea what's going on behind their back.
How toll fraud malware works
So how do malicious actors get you to sign up for subscriptions without your consent? They take advantage of a mechanism called Wireless Application Protocol billing, which sends charges directly to consumers' phone bills after they've made a purchase (e.g., HBO Max)
They also disable victims' Wi-Fi because toll fraud malware requires a cellular connection to be successful. According to the Microsoft 365 Defender Research Team, threat actors target users of specific network operators. "Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user's consent," the researchers said.
Toll fraud malware can even intercept one-time passwords (OTPs) that are often sent to subscribers to verify paid services. Some providers don't roll out OTPs, which means hackers can subscribe to apps on victims' behalf with just one click.
As mentioned, even text messages about the new subscription enrollment get thwarted. "By having access to the notification listener service, the malware can [...] remove the notification."
Now, the victim has no idea that they've been signed up for unwanted premium services until they check their monthly phone bill. Among those who pay without looking, this deceptive scheme can go on for months — even years.
How to avoid it
This nasty Android bug can end up on your phone if you unwittingly download an inauthentic, malware-injected app masquerading as a legitimate platform in the Google Play Store. They're often pretending to be "cleaners" (e.g. phony antivirus apps), photography apps, chat and messaging platforms, and personalization apps.
How do you know if an app is fake? If it's asking for permission to utilize a function that doesn't align with its purpose, something's up (e.g., a "photography app" asking for SMS privileges).
Toll fraud malware isn't new, but Microsoft warns that it's still continuing to evolve over time. It's worth noting that this vulnerability only affects users with phones that run Android 9.0 or older. As such, simply updating your device should suffice. If you can't run any updates on it, check out our best mobile security apps page.