NEW REPORT: Security in
a Remote Access World

Survey of IT execs reveals lack of confidence in securing distributed networks.

 

READ NOW »

Blog

What Is WAP Billing and How Can It Be Exploited?

An old scam to separate people from their money has been gaining more popularity. It uses a cellphone protocol called WAP billing to steal your money. You have a hint from its name that it has something to do with wireless network protocols, but the idea is to save folks some time when they want to pay for something online by having the charges go directly on the user’s phone bill. This makes it easier, so users don’t need to register a credit card or set up a user-name and password with the online storefront. If you have ever have been charged a premium rate SMS message, or used your phone to donate funds to a relief agency fundraiser by texting to a specific SMS number, these are using the same process. Typically, users are presented with a webpage and just have to click on a button to initiate the legit process. 

Well, that convenience can turn out to be an exploit. What happens is that the attacker writes some Javascript code to do the clicking, making the users completely unaware that their accounts have been charged until they get their mobile phone bills. Security researchers are finding these mobile malware WAP billing trojans with increasing frequency in the last several months.

The problem, as pointed out in this blog post, is that the buyer has to deal with three different intermediaries with a typical WAP billing transaction:

  • their mobile operator
  • the payment provider
  • the content provider (in our case, the malware author)

Despite the number of different parties, you’ll notice that there is no actual banking entity that typically handles these online transactions, such as the credit card processor. That means the normal fraud protections built-in to the credit card network don’t apply. Sorry folks! If you get hit by one of these exploits, you will have to bring up the issue with your phone company when you get your bill – that is, if you actually look over those bills closely enough to see the spurious charges.

WAP billing trojans start off by connecting to a malicious website. The trojan visits the site, clicks on the buttons (again, without the phone user’s knowledge, using a background program), and then subscribes to various paid and unwanted services. It then intercepts and deletes the SMS confirmation messages, so the user never knows what is happening.

Despite having a name in common with an outdated wireless LAN protocol, WAP billing only works when a user is connected via broadband mobile data, not on any local Wi-Fi network. And one function of these trojans is to turn off the Wi-Fi radio on your phone to ensure that all data is sent over the mobile data network. Many of these trojans look like battery optimizers or other legit apps to get users to download them.

Previously WAP billing services were found mostly in Russia, but now such attacks are spreading to India and South Africa. One trojan infected almost 8,000 victims in 82 countries during July 2017. One popular family of these tools has been called Xafecopy, which has seemed to share similar code with a Chinese Javascript module called Ztorg. Another one is called Autosus, which requires a user to give it admin rights when it first is installed. Then it deletes its icon from the list of installed apps so users can’t easily find it. And Podec has been around for several years, and became infamous when it was discovered that it could bypass Captcha checks. It is still the third most popular WAP trojan.

These are nasty apps, to be sure. You should ensure that you are downloading legit apps to your smartphone, and also pay careful attention to the additional charges on your cell bills in the future.

 

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's SearchSecurity.com, ITworld.com and Network World. Find him on Twitter @dstrom and on his website strominator.com.