This article is more than 1 year old

A blast from the past: Mobile trojans abusing WAP-billing services

Fraudsters now piggybacking on 2.5G mobile tech

Crooks slinging mobile trojans have reverted to old techniques by stealing users' money through WAP-billing services.

The "unusual" rise in mobile trojan clickers that steal money from Android users through Wireless Application Protocol (WAP) billing has been tracked by security researchers at Kaspersky Lab. The unexpected trend had been in evidence for a while, but in Q2 of 2017 it became surprisingly common, with thousands of affected users in different countries across the globe, mainly in India and Russia, according to Kaspersky Lab.

WAP billing has been widely used by mobile network operators for paid services and subscriptions for many years. This form of mobile payment charges costs directly to the user's mobile phone bill, avoiding the need for bank card registration or a sign-up process.

The technology normally works by redirecting users to a different web page where the user activates a subscription and their mobile account is charged.

Cybercrooks are abusing this legitimate technology by developing trojans that covertly subscribe to "services" owned and controlled by fraudsters. A simple registration of domains in a mobile operator's billing system allows fraudsters to connect their website to a WAP-billing service. As a result, money from a victim's account is siphoned off to line the pockets of fraudsters.

"We haven't seen these types of [WAP-billing service] trojans for a while," said Roman Unuchek, security expert at Kaspersky Lab. "The fact that they have become so popular lately might indicate that cybercriminals have started to use other verified techniques, such as WAP-billing, to exploit users. Moreover, a premium rate SMS trojan is more difficult to create. It is also interesting that malware has targeted mainly Russia and India, which could be connected to the state of their internal, local telecoms markets. However, we have also detected the trojans in South Africa and Egypt."

The most prevalent trojan strain abusing WAP-billing services, the Trojan-Clicker.AndroidOS.Ubsod malware family, receives URLs from its command-and-control server and opens them. According to Kaspersky Security Network statistics, this trojan infected almost 8,000 victims in 82 countries during July 2017. Another popular mobile malware using the same scam mechanism uses JavaScript files to click buttons with WAP billing. Examples of this variant include the Xafekopy trojan, which is distributed through ads while masquerading as useful apps such as battery optimisers and the like and has a Chinese-speaking origin.

Using JavaScript has allowed some miscreants to bolt on CAPTCHA bypass functionality to the likes of the Podec trojan, a strain of mobile malware particularly active in Russia.

Some trojan families, such as Autosus and Podec, exploit Device Administrator rights, making them harder to delete.

Michael Covington, VP of product strategy at Wandera, said: "While we have certainly seen examples of malware that targets users of WAP-billing services, it is not the most prevalent threat that we see on mobile. In fact, the class of malware that we currently see in broad distribution is adware. It seems that many attackers are simply going after a quick payday and mobile adware, much like spam was on email, provides the easiest way to profit from mass distribution."

To become active through mobile internet, all WAP-billing mobile trojan versions are able to turn off Wi-Fi and turn on mobile data, as explained in a blog post by Kaspersky Lab here. ®

More about

More about

More about


Send us news

Other stories you might like