New case clicker codes augest 20171/2/2023 ![]() ![]() Conclusionĭuring last few months, we have detected a growth of Trojans attacking WAP-billing services in different countries. It was the third most common Trojan in June 2017, among other Trojans abusing WAP-billings. Podec is still actively distributing, mainly in Russia. It’s last appearance in the top 20 most popular mobile Trojans was in Q2 2016. Over the next few years it became of the most popular mobile Trojans. It was the first mobile Trojan that was able to bypass captcha. This Trojan has lots of functionality but its main task is to steal money by subscribing users to WAP services. This Trojan – initially found in 2014 – was a regular Trojan-SMS until 2015, when cybercriminals switched to attacking WAP-billing services. When talking about clickjacking WAP-billing services, we should mention. ![]() This Trojan attacked more than 1,400 users in July 2017, most of them were from India (38%), South Africa (31%) and Egypt (15%). After analyzing them, I found that they belong to the malware family. The most popular files detected in Q2 2017 by ML detection were Trojans abusing WAP-billing services. These files are recognized as malicious by our system, based on machine learning algorithms. I started with Trojans that are detected as. In addition, some are exploiting Device Administrator rights to make it harder to delete the Trojan. ![]() After that they need to delete incoming SMS messages containing information about subscriptions from the mobile network operator.įurthermore, some of them have the ability to send premium rate SMS messages. Usually, Trojans load such pages and click on buttons using JavaScript (JS) files. ![]() Then they open a URL which redirects to the page with WAP-billing. They do this because WAP-billing works only through mobile Internet. First, they turn off WiFi and turn on mobile Internet. In general, these Trojans are doing similar things. Therefore, I decided to take a closer look at these Trojans. Most of them had been under development since the end of 2016 / the beginning of 2017, but their prevalence increased only in the second half of Q2 2017. Different Trojans from different cybercriminal groups targeting different countries (Russia and India) became common at the same time. We hadn’t seen any Trojans like this in a while, but several of them appeared out of nowhere. However, in this case Trojans do not need to send any SMS – just to click on button on a web-page with WAP-billing. Mobile network operators charges users only if they are successfully identified and only after click on the button.įrom a financial point of view, this mechanism is similar to the Premium rate SMS service – charge is directly applied to users’ phone bills. If the user connects to the Internet through mobile data, the mobile network operator can identify him/her by IP address. By clicking on this button user will be redirected to a mobile network operator server, which may show additional information and request user’s final decision about payment by clicking on another button. Usually such pages contain complete information about payments and a button. This mechanism is similar to premium rate SMS messages but Trojans do not need to send any SMS in this case – they just need to click on a button on a web-page with WAP-billing.įrom user’s perspective a page with WAP-billing looks like regular web-page. During the preparation of the “ IT threat evolution Q2 2017” report I found several common Trojans in the “Top 20 mobile malware programs” list that were stealing money from users using WAP-billing – a form of mobile payment that charges costs directly to the user’s mobile phone bill so they don’t need to register a card or set up a user-name and password. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |