Beware of WAPDropper, the mobile malware that subscribes users to Premium Rate Services

None of us likes to receive a bill that’s much larger than we were expecting – especially when we have no knowledge of how the extra costs were incurred.  So imagine how you’d feel if you discovered that you’d been signed up to premium-rate phone services without your knowledge or consent. As well as the ‘bill shock,’ you’d have the headache of trying to get those charges removed from your account. How would you prove to your service provider that you never intended to use those services or make those calls?

This type of scam is known as International Revenue Share Fraud (IRSF) and it’s big business, generating an estimated $4 to $6 billion per year for fraudsters.  Check Point Research recently discovered a new IRSF campaign which uses an insidious new mobile malware variant to quietly sign users up to premium-rate services.

The new malware, called WAPDropper, has the ability to download and execute additional malware to the infected device. This type of multi-function ‘dropper’ which stealthily installs onto a user’s phone and then downloads further malware is the most common type of mobile infection seen in 2020:  our ’Cyber Attack Trends: 2020 Mid-Year Report’ showed that these ‘dropper’ trojans represented nearly half of all mobile malware attacks between January and July, with combined infections in the hundreds of millions globally.

WAPDropper consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialer module that subscribes victims to premium services offered by legitimate sources – In this case, telecommunication services providers in two countries in Southeast Asia – Thailand and Malaysia.

In this and similar schemes, the hackers and the owners of the premium rate numbers are either co-operating or could even be the same group of people. It’s simply a numbers game: the more calls made using the premium-rate services, the more revenue is generated for those behind the services.  Everybody wins, except the unfortunate victims of the scam.

Infection Chain

Infection starts with the user downloading an infected app to their mobile from an unofficial app store.   After installation, WAPDropper contacts its Command and Control (C&C) server and then downloads the premium dialer module, which opens a tiny web-view screen, and contacts premium services offered by legitimate telecom companies.

Once WAPDropper has successfully loaded the landing pages of the telco company promoting the premium rate numbers, it attempts to subscribe the user to those services. In some cases, a CAPTCHA step is required to finalize the subscription. WAPDropper passes this test by using the services of “Super Eagle”, a Chinese company that offers an machine learning solution for image recognition.

Figure 1 – Attack Chain flow illustration

Stay Protected From Mobile Threats

To avoid being hit by malware such as WAPDropper, one of the most important steps that users can take is to only download apps from official app stores (Apple’s App Store and Google Play).  However, even this measure is not 100% secure:  in 2019, the PreAMo ad-clicker malware was hidden inside six applications in Google Play that were downloaded over 90 million times before they were removed.

Enforcing policies that block corporate users from downloading apps from unofficial sources used to be impossible for organizations, but not anymore. With SandBlast Mobile’s Download Prevention feature, organizations can now block app downloads on both iOS and Android devices based on various characteristics, such as the domain URL from which the app comes from, the file extension, certificates and more. This feature prevents users from downloading apps from non-trusted sources, automatically reducing the risk of installing applications with malicious content. Administrators also have the opportunity to white list domains.

If you suspect you may have an infected app on your device, here is what you should do:

  • Uninstall the infected application from the device
  • Check your mobile and credit-card bills to see if you have been signed up for any subscriptions and unsubscribe these if possible
  • Install a security solution to prevent future infections

Check Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce. The solution provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.