Skip to main content

Nasty Android bug secretly subscribes you to paid apps — how to avoid it

Android hacker
(Image credit: Getty Images)

There's a nasty Android bug on the loose, according to the Microsoft 365 Defender Research Team (opens in new tab), and it can drain your bank account for months if you're not cognizant of its presence. The vulnerability, called toll fraud malware, facilitates billing fraud, allowing malicious actors to secretly sign you up for paid services on your behalf.

It gets worse! Sometimes, companies send text messages to subscribers to confirm payment, right? However, with this ugly Android bug, cybercriminals can suppress those text messages, ensuring that victims have no idea what's going on behind their back.

How toll fraud malware works

So how do malicious actors get you to sign up for subscriptions without your consent? They take advantage of a mechanism called Wireless Application Protocol billing, which sends charges directly to consumers' phone bills after they've made a purchase (e.g., HBO Max)

They also disable victims' Wi-Fi because toll fraud malware requires a cellular connection to be successful. According to the Microsoft 365 Defender Research Team, threat actors target users of specific network operators. "Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user's consent," the researchers said.

Toll fraud malware can even intercept one-time passwords (OTPs) that are often sent to subscribers to verify paid services. Some providers don't roll out OTPs, which means hackers can subscribe to apps on victims' behalf with just one click.

As mentioned, even text messages about the new subscription enrollment get thwarted. "By having access to the notification listener service, the malware can [...] remove the notification."

Now, the victim has no idea that they've been signed up for unwanted premium services until they check their monthly phone bill. Among those who pay without looking, this deceptive scheme can go on for months — even years.

How to avoid it

This nasty Android bug can end up on your phone if you unwittingly download an inauthentic, malware-injected app masquerading as a legitimate platform in the Google Play Store. They're often pretending to be "cleaners" (e.g. phony antivirus apps), photography apps, chat and messaging platforms, and personalization apps.

How do you know if an app is fake? If it's asking for permission to utilize a function that doesn't align with its purpose, something's up (e.g., a "photography app" asking for SMS privileges).

Toll fraud malware isn't new, but Microsoft warns that it's still continuing to evolve over time. It's worth noting that this vulnerability only affects users with phones that run Android 9.0 or older. As such, simply updating your device should suffice. If you can't run any updates on it, check out our best mobile security apps page.

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!