Researchers from cybersecurity experts, Check Point, have uncovered a threat campaign using never-before-seen, multi-functional malware that signs up Android users, without consent, to premium services provided by telecoms in Thailand and Malaysia.
The new malware, named WAPDropper by researchers, is multi-functional, as it not only drops a premium dialer to subscribe victims to premium services, but also has the ability to download and execute second stage malware onto infected Android devices.
WAPDropper, has the ability to download and execute additional malware to the infected device. This type of multi-function ‘dropper’ which stealthily installs onto a user’s phone and then downloads further malware is the most common type of mobile infection seen in 2020.
IT consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialer module that subscribes victims to premium services offered by legitimate sources – In this case, telecommunication services providers in two countries in Southeast Asia – Thailand and Malaysia.
In some cases, a CAPTCHA step (a program or system intended to distinguish human from machine input) is required to finalise the subscription. WAPDropper passes this test by using the services of “Super Eagle”, a Chinese company that offers an machine learning solution for image recognition.
Check Point believes that for this and similar schemes, the hackers and the owners of the premium rate numbers are either co-operating or could even be the same group of people – the more calls made using the premium-rate services, the more revenue is generated for those behind the services. Everybody wins, except the unfortunate victims of the scam.
Aviran Hazum, Manager of Mobile Research at Check Point Software Technologies shared “WAPDropper is truly multi-functional. Right now, this malware drops a premium dialer, but in the future this payload can change to drop whatever the attacker wants. This type of multi-function ‘dropper’, which stealthily installs onto a user’s phone and then downloads further malware, has been a key mobile infection trend we’ve seen in 2020.”
“These ‘dropper’ trojans represented nearly half of all mobile malware attacks between January and July 2020, with combined infections in the hundreds of millions globally. I expect the trend to continue as we turn the new year. I strongly urge Android users to only download apps from Google Play.”
How to You Can Stay Protected
- Only download apps from official app stores, such as Google Play.
- Check the statements. Constantly check your mobile and credit-card bills to see if you have been signed up for any subscriptions.
- Unsubscribe and delete. If you notice unusual activity, unsubscribe from the subscriptions and immediately delete any applications you suspect
- Optimise for prevention. Install a security solution to prevent future infections, such as Check Point SandBlast Mobile.