{
	"id": "2c495df3-0067-4e28-941b-5b3c61b5dc46",
	"created_at": "2026-04-06T00:13:48.912812Z",
	"updated_at": "2026-04-10T03:30:33.492224Z",
	"deleted_at": null,
	"sha1_hash": "d4306e3b0f644e447b14b1681faa229e40ebd533",
	"title": "Toll fraud malware: How an Android application can drain your wallet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3848028,
	"plain_text": "Toll fraud malware: How an Android application can drain your\r\nwallet\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-06-30 · Archived: 2026-04-05 20:47:50 UTC\r\nToll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium\r\nservices without their knowledge or consent, is one of the most prevalent types of Android malware – and it\r\ncontinues to evolve.\r\nCompared to other subcategories of billing fraud, which include SMS fraud and call fraud, toll fraud has unique\r\nbehaviors. Whereas SMS fraud or call fraud use a simple attack flow to send messages or calls to a premium\r\nnumber, toll fraud has a complex multi-step attack flow that malware developers continue to improve.\r\nFor example, we saw new capabilities related to how this threat targets users of specific network operators. It\r\nperforms its routines only if the device is subscribed to any of its target network operators. It also, by default, uses\r\ncellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi\r\nconnection is available. Once the connection to a target network is confirmed, it stealthily initiates a fraudulent\r\nsubscription and confirms it without the user’s consent, in some cases even intercepting the one-time password\r\n(OTP) to do so. It then suppresses SMS notifications related to the subscription to prevent the user from becoming\r\naware of the fraudulent transaction and unsubscribing from the service.\r\nAnother unique behavior of toll fraud malware is its use of dynamic code loading, which makes it difficult for\r\nmobile security solutions to detect threats through static analysis, since parts of the code are downloaded onto the\r\ndevice in certain parts of the attack flow. Despite this evasion technique, we’ve identified characteristics that can\r\nbe used to filter and detect this threat. We also see adjustments in Android API restrictions and Google Play Store\r\npublishing policy that can help mitigate this threat.\r\nToll fraud has drawn media attention since Joker, its first major malware family, found its way to the Google Play\r\nStore back in 2017. Despite this attention, there’s not a lot of published material about how this type of malware\r\ncarries out its fraudulent activities. Our goal for this blog post is to share an in-depth analysis on how this malware\r\noperates, how analysts can better identify such threats, and how Android security can be improved to mitigate toll\r\nfraud. This blog covers the following topics:\r\nThe WAP billing mechanism: An overview\r\nFraudulent subscriptions via toll fraud\r\nForcing cellular communication\r\nFetching premium service offers and initiating subscriptions\r\nIntercepting OTPs\r\nSuppressing notifications\r\nUsing dynamic code loading for cloaking\r\nMitigating the threat of toll fraud malware\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 1 of 25\n\nIdentifying potential malware\r\nImproving Android security and privacy\r\nThe WAP billing mechanism: An overview\r\nTo understand toll fraud malware, we need to know more about the billing mechanism that attackers use. The\r\ncommonly used type of billing in toll fraud is Wireless Application Protocol (WAP). WAP billing is a payment\r\nmechanism that enables consumers to subscribe to paid content from sites that support this protocol and get\r\ncharged directly through their mobile phone bill. The subscription process starts with the customer initiating a\r\nsession with the service provider over a cellular network and navigating to the website that provides the paid\r\nservice. As a second step, the user must click a subscription button, and, in some cases, receive a one-time\r\npassword (OTP) that has to be sent back to the service provider to verify the subscription. The overall process is\r\ndepicted below:\r\nFigure 1. The WAP billing process in a nutshell\r\nIt should be noted that the process depends on the service provider, thus not all steps are always present. For\r\nexample, some providers do not require an OTP, which means that the mobile user can subscribe to a service by\r\nsimply clicking the subscription button while the device is connected to a cellular network.  \r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 2 of 25\n\nFraudulent subscriptions via toll fraud\r\nWe classify a subscription as fraudulent when it takes place without a user’s consent. In the case of toll fraud, the\r\nmalware performs the subscription on behalf of the user in a way that the overall process isn’t perceivable through\r\nthe following steps:\r\n1. Disable the Wi-Fi connection or wait for the user to switch to a mobile network\r\n2. Silently navigate to the subscription page\r\n3. Auto-click the subscription button\r\n4. Intercept the OTP (if applicable)\r\n5. Send the OTP to the service provider (if applicable)\r\n6. Cancel the SMS notifications (if applicable)\r\nOne significant and permissionless inspection that the malware does before performing these steps is to identify\r\nthe subscriber’s country and mobile network through the mobile country codes (MCC) and mobile network codes\r\n(MNC). This inspection is done to target users within a specific country or region. Both codes can be fetched by\r\nusing either the TelephonyManageror the SystemPropertiesclass. The TelephonyManager.getSimOperator() API\r\ncall returns the MCC and MNCcodes as a concatenated string, while other functions of the same class can be used\r\nto retrieve various information about the mobile network that the device is currently subscribed to. As the network\r\nand SIM operator may differ (e.g., in roaming), the getSimOperatorfunction is usually preferred by malware\r\ndevelopers.\r\nThe same type of information can be fetched by using the SystemProperties.get(String key) function where the key\r\nparameter may be one or several (using multiple calls) of the following strings: gsm.operator.numeric,\r\ngsm.sim.operator.numeric, gsm.operator.iso-country, gsm.sim.operator.iso-country, gsm.operator.alpha,\r\ngsm.sim.operator.alpha\r\nThe difference with the first call is that the android.os.SystemProperties class is marked as @SystemApi, therefore\r\nan application has to use Java reflection to invoke the function. The MNC and MCC codes are also used to evade\r\ndetection, as the malicious activity won’t be performed unless the SIM operator belongs to the ones targeted:\r\nFigure 2. Joker malware running its payload, targeting South African mobile operators\r\nThe following sections present an analysis of the fraudulent subscription steps in the context of the Android\r\noperating system. This analysis can help identify the API calls and the permissions needed for the implementation\r\nof a toll fraud scheme.\r\nForcing cellular communication\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 3 of 25\n\nVariants of toll fraud malware targeting Android API level 28 (Android 9.0) or lower disable the Wi-Fi by\r\ninvoking the setWifiEnabled method of the WifiManager class. The permissions needed for this call are\r\nACCESS_WIFI_STATE and CHANGE_WIFI_STATE. Since the protection level for both permissions is set to\r\nnormal, they are automatically approved by the system.\r\nMeanwhile, malware targeting a higher API level uses the requestNetwork function of the\r\nConnectivityManagerclass. The Android developers page describes the requestNetwork method as:\r\nThis method will attempt to find the best network that matches the given NetworkRequest, and to bring up one that\r\ndoes if none currently satisfies the criteria. The platform will evaluate which network is the best at its own\r\ndiscretion. Throughput, latency, cost per byte, policy, user preference and other considerations may be factored in\r\nthe decision of what is considered the best network.\r\nThe required permission for this call is either CHANGE_NETWORK_STATE (protection level: normal) or\r\nWRITE_SETTINGS(protection level: signature|preinstalled|appop|pre23), but since the latter is protected, the\r\nformer is usually preferred by malware developers. In the code snippet depicted below from a malware sample\r\nthat can perform toll fraud, the function vgy7is requesting a TRANSPORT_CELLULAR transport type (Constant\r\nValue: 0x00000000) with NET_CAPABILITY_INTERNET (Constant Value: 0x0000000c):\r\nFigure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport\r\ntype\r\nFigure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport type\r\nThe NetworkCallbackis used to monitor the network status and retrieve a networktype variable that can be used to\r\nbind the process to a particular network via the ConnectivityManager.bindProcessToNetworkfunction. This allows\r\nthe malware to use the mobile network even when there is an existing Wi-Fi connection. The proof-of-concept\r\ncode depicted below uses the techniques described above to request a TRANSPORT_CELLULAR transport type. If\r\nthe transport type is available, it binds the process to the mobile network to load the host at example.com in the\r\napplication’s WebView:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 4 of 25\n\nFigure 4. Proof-of-concept code to request a TRANSPORT_CELLULAR transport type\r\nWhile it is expected that the Wi-Fi connection is preferred even when mobile connection is also available, the\r\nprocess exclusively uses the cellular network to communicate with the server:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 5 of 25\n\nFigure 5. The mobile browser loads example.com when TRANSPORT_CELLULAR transport type is\r\navailable and loads a blank page when only Wi-Fi is available\r\nIn fact, the user must manually disable mobile data to prevent the malware from using the cellular network. Even\r\nthough the setWifiEnabledhas been deprecated, it can still be used by malware targeting API level 28 or lower.\r\nFetching premium service offers and initiating subscriptions\r\nAssuming that the SIM operator is on the target list and the device is using a TRANSPORT_CELLULARtype\r\nnetwork, the next step is to fetch a list of websites offering premium services and attempt to automatically\r\nsubscribe to them.\r\nThe malware will communicate with a C2 server to retrieve a list of offered services. An offer contains, between\r\nelse, a URL which will lead to a redirection chain that will end up to a web page, known as landing page.\r\nWhat happens next depends on the way that the subscription process is initiated, thus the malware usually\r\nincludes code that can handle various subscription flows. In a typical case scenario, the user has to click an HTML\r\nelement similar to the one depicted below (JOIN NOW), and as a second step, send a verification code back to the\r\nserver:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 6 of 25\n\nFigure 6. A subscription page that’s loaded in the background without the user’s knowledge.\r\nFor the malware to do this automatically, it observes the page loading progress and injects JavaScript code\r\ndesigned to click HTML elements that initiate the subscription. As the user can only subscribe once to one service,\r\nthe code also marks the HTML page using a cookie to avoid duplicate subscriptions. The following is an example\r\nof such a code:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 7 of 25\n\nFigure 7. JavaScript injected code scraping related HTML elements\r\nOn line 76, getElementsByTagNamereturns a collection of all the Document Object Model (DOM) elements\r\ntagged as input. The loop on line 78 goes through every element and checks its typeas well as its name, value, and\r\naltproperties. When an element is found to contain keywords, such as “confirm”, “click”, and “continue”, it is sent\r\nto the cfunction, as depicted below:\r\nFigure 8. JavaScript function simulating clicks on selected HTML elements\r\nThe if statement on line 36 checks if the element has already been clicked by calling the jdh function, displayed\r\nbelow in Figure 12. Finally, the c function invokes the click() or submit() function by the time the branch on line\r\n37 (see figure 11) is followed:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 8 of 25\n\nFigure 9. JavaScript code checking if the page has already been visited\r\nThe HTML page loading process is tracked using an onPageFinishedcallback of the WebViewClientattached to the\r\nWebView. Subsequently, a handler that listens for relative message types acts depending on the next steps that are\r\nrequired for the subscription to take place. In the code snippet below, the URL loaded in the WebView and a\r\nsignalwith id “128”is sent to handler2to evaluate the service and initiate the subscription process:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 9 of 25\n\nFigure 10. Malware evaluating the steps required to initiate the subscription process\r\nMulti-step or target subscription processes may require additional verification steps. The handler depicted below\r\nchecks the page URL loaded in the WebView. If the URL matches doi[.]mtndep.co.za/service/, then the handler\r\nruns the JavaScript code assigned to the Properties.call_jbridge_dump variable:\r\nFigure 11. Malware running code depending on certain conditions\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 10 of 25\n\nA signal with id “107” triggers some additional steps that require communication with the command and control\r\n(C2) server. This case is demonstrated in the following figures:\r\nFigure 12. Malware running code depending on the specific signal id\r\nUpon receiving the signal, the handler invokes the v1.bhu8 function:\r\nFigure 13. Malware attacking anti-fraud protection\r\nAfter checking for the web-zdm[.]secure-d[.]io/api/v1/activatein the server’s reply, the malware invokes the\r\ntpack[.]l2.bhu8[.]vgy7 function. This function sends the current URL loaded in the application’s WebView as well\r\nas some extra information like country code, and HTML code:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 11 of 25\n\nFigure 14. Malware sending information to the C2 server\r\nFigure 15. A solver-type service offered by the C2 server\r\nIntercepting OTPs\r\nIn most cases, the service provider sends an OTP that must be sent back to the server to complete the subscription\r\nprocess. As the OTP can be sent by using either the HTTP or USSD protocol or SMS, the malware must be\r\ncapable of intercepting these types of communication. For the HTTP protocol, the server’s reply must be parsed to\r\nextract the token. For the USSD protocol, on the other hand, the only way to intercept is by using the accessibility\r\nservice.\r\nOne method of intercepting an SMS message, requiring android.permission.RECEIVE_SMS permission, is to\r\ninstantiate a BroadcastReceiver that listens for the SMS_RECEIVED action.\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 12 of 25\n\nThe following code snippet creates a BroadcastReceiverand overrides the onReceivecallback of the superclass to\r\nfilter out messages that start with “rch”:\r\nFigure 16. Code that filters out SMS messages that start with “rch”\r\nSubsequently, it creates an IntentFilter, which renders the receiver capable of listening for an SMS_RECEIVED\r\naction, and finally the receiver is registered dynamically:\r\nFigure 17. The IntentFilter enabling the receiver to listen for an SMS_RECEIVED action\r\nTo handle OTP messages that are sent using the HTTP protocol, the malware parses the HTML code to search for\r\nkeywords indicating the verification token. The following code contains a flow where the extracted token is sent\r\nto the server using the sendTextMessage API call:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 13 of 25\n\nFigure 18. Extracted token is sent to the C2 server using the sendTextMessage API call\r\nThe additional permission that is required to enable this flow is SEND_SMS.\r\nAnother way of intercepting SMS messages is to extend the NotificationListenerService. This service receives\r\ncalls from the system when new notifications are posted or removed, including the ones sent from the system’s\r\ndefault SMS application. The code snippet below demonstrates this functionality:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 14 of 25\n\nFigure 19. Extending the NotificationListenerService service\r\nWe triggered a notification with the title “SMS_Received” and text “Pin:12345” during our analysis, resulting in\r\nthe following output in the application’s logcat:\r\nFigure 20. Logcat output after a notification is posted\r\nFinally, besides the broadcast receiver and the notification listener techniques of intercepting an SMS message, a\r\nContentObserver can be used to receive callbacks for changes to specific content. The onChange callback of the\r\nSmsObserver class (depicted below) is called each time the system changes the SMS content provider state:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 15 of 25\n\nFigure 21. The proof-of-concept code monitoring for incoming SMS messages through SmsObserver\r\nSuppressing notifications\r\nSince API level 18, an application that extends the NotificationListenerService is authorized to suppress\r\nnotifications triggered from other applications. The relevant API calls are:\r\ncancelAllNotifications() to inform the notification manager to dismiss all notifications\r\ncancelNotification(String key) to inform the notification manager to dismiss a single notification\r\ncancelNotifications(String [] keys) to inform the notification manager to dismiss multiple notifications at\r\nonce.\r\nThis API subset is abused by malware developers to suppress service subscription notification messages posted by\r\nthe default SMS application. More specifically, upon successful subscription, the service provider sends a message\r\nto the user to inform them about the charges and offers the option to unsubscribe. By having access to the\r\nnotification listener service, the malware can call any of the functions mentioned above to remove the notification.\r\nUsing dynamic code loading for cloaking\r\nCloaking refers to a set of techniques used to hide malicious behavior. For example, most toll fraud malware\r\nwon’t take any action if the mobile network is not among its targets. Another example of a cloaking mechanism\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 16 of 25\n\nused by these threats is dynamic code loading. This means that certain malware codes are only loaded when\r\ncertain conditions are met, making it difficult to detect by static analysis.\r\nThe following is a characteristic example of a multi-stage toll fraud malware with SHA-256:\r\n2581aba12919ce6d9f89d86408d286a703c1e5037337d554259198c836a82d75 and package name:\r\ncom.cful.mmsto.sthemes.\r\nStage one\r\nThis malware’s entry point is found to be the com.android.messaging.BugleApplication, a subclass of the\r\nApplication class. The malicious flow leads to the function below:\r\nFigure 22. The function where the entry point of the malware leads to\r\nThe call on line 21 fills the filesarray with the filenames fetched from the assets directory. The for loop enters theif\r\nbranch at line 32 if the name of the asset file ends with “355”. Querying the asset files of the app for such a\r\nfilename yields the following result:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 17 of 25\n\nFigure 23. Query result when searching for “355”\r\nThe PhoneNumberAlternateFormatsProto_355 is the source file which, in conjunction with a destination file and\r\nthe string “xh7FEC2clYuoNQ$ToT99ue0BINhw^Bzy”, is given as parameters to the ns.j function:\r\nFigure 24. The ns.j function\r\nThe SecretKeySpec on line 68 is constructed from the first 16 bytes of the SHA-1 digest of the password string.\r\nThis key is used to decrypt the file fetched from the assets using Advanced Encryption Standard (AES) in\r\nelectronic codebook (ECB) mode. The decryption result is an ELF file that is saved in the application’s cache\r\ndirectory and loaded using the System.load function.\r\nStage two\r\nThe loaded library fetches the PhoneNumberAlternateFormatsProto_300file from the assets folder using the\r\nAAssetManager_fromJava function and writes it to a temporary file with the name b in the\r\n/data/data/\u003cpackage_name\u003e/ directory, as seen on line 93 below:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 18 of 25\n\nFigure 25. Fetching the second payload from the assets directory.\r\nThe file b is then decrypted using an XOR operation with the key “xh7FEC2clYuoNQ$ToT99ue0BINhw^Bzy”,\r\nwhich is given from the Java side (see following figures). The decrypted payload is saved with the name l in the\r\napplication’s data directory:\r\nFigure 26. Decrypting asset\r\nFigure 27. The native handleTask called from the Java code\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 19 of 25\n\nThe same function loads the decrypted payload l and invokes the com.AdsView.pulgn using the DexClassLoader\r\nclass loader (variable names have been changed for clarity):\r\nFigure 28. Dynamically loading the decrypted asset using the DexClassLoader\r\nDecrypting the second payload manually yields the following APK file:\r\nFigure 29. The decrypted APK file\r\nIt must be mentioned that the DexClassLoadercan be used to load classes from .jar and .apk files that contain a\r\nclasses.dex entry.\r\nStage three\r\nThis decrypted APK consists of two main classes: the com.Helperand com.AdsView. The\r\ncom.AdsView.pulgnfunction is the first to be invoked by the native library described in the previous section:\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 20 of 25\n\nFigure 30. pulgn is the first function to be invoked when the payload is loaded\r\nThe runnable thread’s main functionality is to connect the host to xn3o[.]oss-accelerate[.]aliyuncs[.]com and\r\ndownload a JAR file named xn30, which is saved to the cache directory with name nvi and then loaded using the\r\nstartSdk function, as shown on line 81 below:\r\nFigure 31. Download and trigger the final payload\r\nThe file xn30 is the final payload of stage three and is the one that performs the toll fraud activities previously\r\ndescribed.\r\nMitigating the threat of toll fraud malware\r\nToll fraud is one of the most common malware categories with high financial loss as its main impact. Due to its\r\nsophisticated cloaking techniques, prevention from the side of the user plays a key role in keeping the device\r\nsecure. A rule of thumb is to avoid installing Android applications from untrusted sources (sideloading) and\r\nalways follow up with device updates. We also recommend end users take the following steps to protect\r\nthemselves from toll fraud malware:\r\nInstall applications only from the Google Play Store or other trusted sources.\r\nAvoid granting SMS permissions, notification listener access, or accessibility access to any applications\r\nwithout a strong understanding of why the application needs it. These are powerful permissions that are not\r\ncommonly needed.\r\nUse a solution such as Microsoft Defender for Endpoint on Android to detect malicious applications.\r\nIf a device is no longer receiving updates, strongly consider replacing it with a new device.\r\nIdentifying potential malware\r\nFor security analysts, it is important to be aware that conventional mitigation techniques based on static detection\r\nof malware code patterns can only offer limited remediation against this malware. This is due to the extended use\r\nof reflection, encryption, compression, obfuscation, steganography, and dynamic code loading.\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 21 of 25\n\nThere are, however, characteristics that can be used to identify this type of malware. We can classify these\r\ncharacteristics into three:\r\nPrimary characteristics – patterns in plaintext included in the application that can be analyzed statically\r\nSecondary characteristics – common API calls used to conduct toll fraud activities\r\nTertiary characteristics – patterns in Google Play Store metadata such as the application’s category, the\r\ndeveloper’s profile, and user reviews, among others\r\nThe tertiary characteristics are useful for initial filtering for potential malware. Patterns observed in the apps’\r\nmetadata are related to malware developers’ attempts to infect as many devices as possible in a short amount of\r\ntime, while remaining published on the Google Play Store for as long as they can. We’ve observed that attackers\r\noften follow these steps to keep their apps in the Google Play Store:  \r\n1. Use open-source applications that belong to popular categories and can be trojanized with minimal effort.\r\nThe preferred application categories include personalization (like wallpaper and lock screen apps), beauty,\r\neditor, communication (such as messaging and chat apps), photography, and tools (like cleaner and fake\r\nantivirus apps).\r\n2. Upload clean versions until the application gets a sufficient number of installs.\r\n3. Update the application to dynamically load malicious code.\r\n4. Separate the malicious flow from the uploaded application to remain undetected for as long as possible.\r\nThese applications often share common characteristics:\r\nExcessive use of permissions that are not suitable to the application’s usage (for example, wallpaper, editor,\r\nand camera apps that bind the notification listener service or ask for SMS permissions)\r\nConsistent user interfaces, with similar icons, policy pages, and buttons\r\nSimilar package names\r\nSuspicious developer profile (fake developer name and email address)\r\nNumerous user complaints in the reviews\r\nOnce potential malware samples are identified based on these tertiary characteristics, the primary characteristics\r\ncan be used for further filtering and confirmation. Applications cannot obfuscate their permission requests, use of\r\nthe notification listener service, or use of accessibility service. These requests must appear in the\r\nAndroidManifest.xml file within the APK, where they can be easily detected using static analysis. The commonly\r\nrequested permissions by malware performing toll fraud may include: READ_SMS, RECEIVE_SMS, SEND_SMS,\r\nCHANGE_WIFI_STATE, ACCESS_WIFI_STATE, CHANGE_NETWORK_STATE. Requests for notification\r\nlistener and accessibility service should be considered extremely suspicious.\r\nSecondary characteristics also include suspicious API calls including: setWifiEnabled, requestNetwork,\r\nsetProccessDefaultnetwork, bindProcessToNetwork, getSimOperator and cancelAllNotifications. However, since\r\nthese calls may be obfuscated and may be hard to identify during static analysis, a more in-depth analysis may be\r\nnecessary for certainty.\r\nImproving Android security and privacy\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 22 of 25\n\nGoogle continuously improves Android security and privacy as the mobile threat landscape evolves and new\r\nthreats and adversary techniques are discovered. For example, in the operating system, API calls that can reveal\r\npotentially sensitive information continue to be removed or restricted, and in the Google Play Store, the\r\npublication policies guard against use of certain high-risk permissions (for example, the ability to receive or send\r\nSMSs) by requiring a Permission Declaration Form to be completed justifying their use. We anticipate Android\r\nsecurity will continue to evolve to address abuse.\r\nAs discussed, applications currently can identify the cellular network operator and can send network traffic over\r\nthe cellular network without any transparency to the user. Additionally, applications can request access to read and\r\ndismiss notifications, a very powerful capability, without needing to justify this behavior.\r\nConclusion\r\nToll fraud has been one of the most prevalent types of Android malware in Google Play Store since 2017, when\r\nfamilies like Joker and their variants made their first appearance. It accounted for 34.8% of installed Potentially\r\nHarmful Application (PHA) from the Google Play Store in the first quarter of 2022, ranking second only to\r\nspyware.\r\nBy subscribing users to premium services, this malware can lead to victims receiving significant mobile bill\r\ncharges. Affected devices also have increased risk because this threat manages to evade detection and can achieve\r\na high number of installations before a single variant gets removed.\r\nWith this blog, we want to inform end users about the details of this threat and how they can protect themselves\r\nfrom toll fraud. We also aim to provide security analysts with guidance on how to identify other malicious\r\napplications that use these techniques.\r\nOur in-depth analysis of this threat and its continuous evolution informs the protection we provide through\r\nsolutions like Microsoft Defender for Endpoint on Android.\r\nLearn how Microsoft Defender for Endpoint provides cross-platform security, including mobile threat defense\r\ncapabilities.\r\nDimitrios Valsamaras and Sang Shin Jung\r\nMicrosoft 365 Defender Research Team\r\nAppendix\r\nSamples (SHA-256)\r\nSample SHA-256\r\nInitial APK\r\nfile\r\n2581aba12919ce6d9f89d86408d286a703c1e5037337d554259198c836a82d75\r\n(com.cful.mmsto.sthemes)\r\nPayload of\r\nstage two:\r\n904169162209a93ac3769ae29c9b16d793d5d5e52b5bf198e59c6812d7d9eb14\r\n(PhoneNumberAlternateFormatsProto_355, decrypted)\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 23 of 25\n\nElf File\r\n(loader)\r\nPayload of\r\nstage three:\r\nAPK (hostile\r\ndownloader)\r\n61130dfe436a77a65c04def94d3083ad3c6a18bf15bd59a320716a1f9b39d826\r\n(PhoneNumberAlternateFormatsProto_300, decrypted)\r\nPayload of\r\nstage four:\r\nDEX (billing\r\nfraud)\r\n4298952f8f254175410590e4ca2121959a0ba4fa90d61351e0ebb554e416500f\r\nCommon API calls and permissions\r\nAPI Calls Permissions SDK\r\nsetWifiEnabled\r\nCHANGE_WIFI _STATE\r\nACCESS_WIFI_STATE\r\n\u003c29\r\nrequestNetwork CHANGE_NETWORK_STATE \u003e28\r\nsetProcessDefaultNetwork   \u003c23\r\nbindProcessToNetwork   \u003e22\r\ngetActiveNetworkInfo ACCESS_NETWORK_STATE  \r\ngetSimOperator    \r\nget (SystemProperties)    \r\naddJavascriptInterface    \r\nevaluateJavascript   \u003e18\r\nonPageFinished    \r\nonPageStarted    \r\nonReceive for SMS BroadcastReceiver w/\r\nandroid.provider.Telephony.SMS_RECEIVED\r\nRECEIVE_SMS \u003e19\r\ncreateFromPdu RECEIVE_SMS  \r\ngetMessageBody    \r\nonChange for SMS ContentObserver w/\r\nandroid.provider.telephony.SmsProvider’s content\r\nREAD_SMS  \r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 24 of 25\n\nURI (“content://sms”)\r\nsendTextMessage    \r\nonNotificationPosted    \r\nReferences\r\nEverything You Need to Know About Toll Fraud – Voice \u0026 Video – Twilio\r\nGoogle Online Security Blog: PHA Family Highlights: Bread (and Friends) (googleblog.com)\r\nMalware categories  |  Play Protect  |  Google Developers\r\nConnectivityManager  |  Android Developers\r\nDexClassLoader  |  Android Developers\r\nUse of the AccessibilityService API – Play Console Help (google.com)\r\nSource: https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nhttps://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/"
	],
	"report_names": [
		"toll-fraud-malware-how-an-android-application-can-drain-your-wallet"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434428,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4306e3b0f644e447b14b1681faa229e40ebd533.pdf",
		"text": "https://archive.orkl.eu/d4306e3b0f644e447b14b1681faa229e40ebd533.txt",
		"img": "https://archive.orkl.eu/d4306e3b0f644e447b14b1681faa229e40ebd533.jpg"
	}
}