An old scam to separate people from their money has been gaining more popularity. It uses a cellphone protocol called WAP billing to steal your money. You have a hint from its name that it has something to do with wireless network protocols, but the idea is to save folks some time when they want to pay for something online by having the charges go directly on the user’s phone bill. This makes it easier, so users don’t need to register a credit card or set up a user-name and password with the online storefront. If you have ever have been charged a premium rate SMS message, or used your phone to donate funds to a relief agency fundraiser by texting to a specific SMS number, these are using the same process. Typically, users are presented with a webpage and just have to click on a button to initiate the legit process.
The problem, as pointed out in this blog post, is that the buyer has to deal with three different intermediaries with a typical WAP billing transaction:
- their mobile operator
- the payment provider
- the content provider (in our case, the malware author)
Despite the number of different parties, you’ll notice that there is no actual banking entity that typically handles these online transactions, such as the credit card processor. That means the normal fraud protections built-in to the credit card network don’t apply. Sorry folks! If you get hit by one of these exploits, you will have to bring up the issue with your phone company when you get your bill – that is, if you actually look over those bills closely enough to see the spurious charges.
WAP billing trojans start off by connecting to a malicious website. The trojan visits the site, clicks on the buttons (again, without the phone user’s knowledge, using a background program), and then subscribes to various paid and unwanted services. It then intercepts and deletes the SMS confirmation messages, so the user never knows what is happening.
Despite having a name in common with an outdated wireless LAN protocol, WAP billing only works when a user is connected via broadband mobile data, not on any local Wi-Fi network. And one function of these trojans is to turn off the Wi-Fi radio on your phone to ensure that all data is sent over the mobile data network. Many of these trojans look like battery optimizers or other legit apps to get users to download them.
These are nasty apps, to be sure. You should ensure that you are downloading legit apps to your smartphone, and also pay careful attention to the additional charges on your cell bills in the future.
David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's SearchSecurity.com, ITworld.com and Network World. Find him on Twitter @dstrom and on his website strominator.com.