Cybercriminals increasingly find new ways to access our personal data or bank account and the latest one is a virus whose purpose is to disable Wi-Fi to pay service subscriptions in a fully automatic way. It is a problem that affects the Android operating system and that Microsoft itself has warned about.
The US company reports that this scam is one of the most common threats in Google’s program and has recently evolved into features that allow you to purchase a subscription without your doing anything. Also, Play Protect cannot do anything since it is not an application.
The method they use is simple, as we have already seen it in other types of billing malware. In short, the hacker tricks users into making a call or sending an SMS message to a certain number. However, there is a big difference, and that is that this fraud does not require a Wi-Fi connection and forces the devices to directly use the mobile data of your operator. Below we will explain more about this threat and how to avoid it.
How the virus works on Android
It has been Microsoft who has presented in a report technical details on how this malware works and its prevention in the Android system. This scam occurs thanks to the Wireless Application Protocol (WAP), a system that allows users to pay for a subscription to paid services and add the corresponding charge to the telephone bill.
This requires a mandatory step from the consumer and this is where the danger lies. The customer must press the corresponding button, although this malware is capable of carrying out the subscription itself . The problem is that some services send a one-time password (OTP), although they also have a defense mechanism against such processes.
It is at this moment that the virus takes over Android and starts the automatic subscription at the same time that it intercepts the OTPs and suppresses the notifications so as not to alarm the victim. In addition, Microsoft has identified several procedures that it executes without the user being aware of it:
- Silently navigate to the subscription web page.
- Automatically click the button.
- Intercept the OTP.
- Send the OTP to the provider.
- Cancel SMS notifications.
They disable Wi-Fi and attack
The first mission of this fraud is to collect information from the individual about their country of origin and mobile network, two processes for which no permission is required. In this sense, the key step is to disable the smartphone’s Wi-Fi connection and force it to use the operator’s network, which is possible on Android 9 or lower with a normal permission level.
This malware uses what is known as “NetworkCallback” to monitor the state of the network in real time and obtain the variable called “Networktype” with the aim of linking the process without you realizing it, forcing the phone to take advantage of the Internet connection. mobile data . This means that the only way for the user to avoid this problem is to deactivate it beforehand.
