Toll fraud Android malware is major threat to steal your money

Researchers from Microsoft warn that toll fraud Android malware has been one of the most prevalent malware downloaded from the Google Play Store since 2017 and is a major threat to steal your money.

In the first quarter of 2022, Google also reported toll fraud was more than 34% of the Potentially Harmful Applications (PHAs) installed from the Google Play Store, ranked second only to Spyware.

According to Microsoft, toll fraud malware is a type of billing fraud where malicious applications subscribe users to premium services without their knowledge or consent.

“By subscribing users to premium services, this malware can lead to victims receiving significant mobile bill charges. Affected devices also have increased risk because this threat manages to evade detection and can achieve a high number of installations before a single variant gets removed,” Microsoft 365 Defender Research Team wrote in a blog post on June 30, 2022.

One of the unique characteristics of this malware is how it takes advantage of the Wireless Application Protocol (WAP) billing mechanism, which allows consumers to subscribe to paid content from certain sites. As a result, users then get charged directly via their cell phone bill.

Microsoft warned the toll fraud malware will clandestinely subscribe on behalf of the victim by following these steps:

  1. Disable the Wi-Fi connection or wait for the user to switch to a mobile network
  2. Silently navigate to the subscription page
  3. Auto-click the subscription button
  4. Intercept the OTP (if applicable)
  5. Send the OTP to the service provider (if applicable)
  6. Cancel the SMS notifications (if applicable).

After technical analysis, Microsoft described in detail how the malware forces cellular communication, fetches premium service offers via a command and control (C2) server, can intercept a one time password (OTP), suppresses notifications, and uses dynamic code loading for cloaking.


Finally, Microsoft recommends users follow these safeguards to protect themselves from toll fraud malware threats:

  • Install mobile apps only from the Google Play Store or other trusted sources.
  • Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it.
  • Use anti-malware solutions to detect malicious applications.
  • Replace older devices that can no longer receive software and security updates.

Related Articles