Recently, researchers discovered a malware subscribing victims to premium services without their knowledge. Read on to know more…
Recently, the cybersecurity researchers of Check Point have detected a new wrench of Android malware that is currently being circulated on the internet. This malware is targeting users that are located in Southeast Asia.
The experts named this malware as WAPDropper and are currently advertised through a malicious app that is being hosted on third-party app stores. However, the malware downloads and administers a payload, just by dropping a wireless application protocol (WAP) premium dialer, which provides a subscription to its victims regarding the premium services in Thailand and Malaysia outwardly their awareness or permission.
Working Mechanism
The malware strain comprises two separate modules, according to Check Point Research, including a dropper module responsible for downloading the second-stage malware, and a premium dialer module that is responsible for the subscription element.
The scheme is centred on making calls to premium-rate numbers, which will, in turn, generate profit for the cyber criminals who collaborate with the owners of these particular phone numbers.
Once WAPDropper opens the landing pages, it’ll attempt to subscribe the victim to these services. Alarmingly, the process includes a mechanism that can bypass the CAPTCHA security requirement, which must be overcome to complete a transaction.
It’s at this stage that the operators deploy the services of Super Eagle, a Chinese firm that offers a machine learning tool for image recognition. When the malware submits the verification code image to the service, the platform returns the coordinate position of the recognition result in the image, then parses the coordinate simulation landing.
The malware also attempts to avoid detection by hiding its icon to prevent users from spotting it on their device and uninstalling the app. The malware also performs checks to determine whether the victim is using a proxy or virtual private network (VPN).
Data Collected by WAPDropper
The following data are collected by WAPDropper
• Device ID
• Mac Address
• Subscriber ID
• Device model
• List of all installed apps
• List of running services
• Topmost activity package name
• Is the screen turned on
• Are notifications enabled for this app
• Can this app draw overlays
• Amount of available free storage space
• The total amount of RAM and available RAM
• List of non-system applications
Mitigation
To avoid being hit by malware such as WAPDropper, one of the most important steps that users can take is to only download apps from official app stores (Apple’s App Store and Google Play).
If you suspect you may have an infected app on your device, here is what you should do:
• Uninstall the infected application from the device
• Check your mobile and credit-card bills to see if you have been signed up for any subscriptions and unsubscribe these if possible
• Install a security solution to prevent future infections