Kaspersky Lab researcher Roman Unuchek spotted an uptick in WAP-billing trojan-clickers from different cybercriminal groups targeting users in Russia and India.
The malware steals money from users using WAP-billing which is a mobile payment that charges costs directly to the user's mobile phone bill so that they don't have to register a payment card or set up login credentials, according to an Aug. 24 blog post.
The scam payment is similar to premium rate SMS messages but instead of needing to send an SMS, the user only needs to click a button on a web-page enabled with WAP-billing. To the user, the page would look like a normal web-page.
Unuchek said the although the attack method has been around for some time there's been a surge of attacks suddenly appeared in different trojans used by different groups and that most of them had been under development since the end of 2016 and that their prevalence has increased in the second half of Q2 2017.
The trojans are acting in similar ways in that they turn on mobile internet since it must be enabled for WAP-billing to work, they then open a URL which redirects users to the page with WAP-billing page often using a JavaScript files. The trojan may then delete the incoming SMS message containing information about subscriptions from the mobile network operator, the post said.
All of the Trojans are distributed outside of the Google Play store and are masquerading as useful apps and being downloaded from malicious websites or ads, Unuchek told SC Media.
He added that he's seen more than 30,000 infected users since July 1st 2017, but said the actual number may be greater, since there are many people without antivirus solutions. The trojans basically steal a users money just by clicking on webpages.
“They are stealing less money than banking Trojans, but it is harder for a user to notice the monetary loss,” Unuchek said. “There were cases when such Trojans were stealing small amounts of money, every day, for months!”
