Skip to content

Toll fraud malware is modifying your WiFi settings; warns Microsoft

  • by
  • 3 min read

Microsoft has warned that toll fraud malware is emerging as one of the most prevalent threats on Android devices as the company shared a technical analysis on how the malware works and ways to prevent being conned.

Toll fraud is considered a subset of billing fraud where attackers trick victims into calling or sending an SMS to a premium number which ends up being charged to their phone bill. The major difference is that toll fraud requires the victim to be on their carrier’s network instead of connected to a WiFi network. 

Microsoft 365 Defender Research Team’s report breaks down the attack process into several steps:

  • Disabling the victim’s WiFi connection or waiting for them to be connected to their carrier alone.
  • Navigating to the subscription page.
  • Auto-clicking the subscription button.
  • Intercepting the OTP if the service provider sends one.
  • Returning the OTP to the service provider.
  • Cancelling SMS notifications if applicable. 

Showing sample code from the Joker malware, Microsoft demonstrated the first and arguably the most important step in the process, disabling the victim’s WiFi. On devices running Android 9 or lower, this can be done with a normal protection permission level. For versions above Android 9, the same can be done with the requestNetwork function, which falls under the CHANGE_NETWORK_STATE permission, another regular protection level activity. 

Toll fraud malware is modifying your WiFi settings; warns Microsoft
Toll malware attack chain. | Source: Microsoft

Such malware can then monitor network status by abusing the function mentioned above and binding the malware to the victim’s carrier network, forcing the victim device to ignore WiFi connections and use the carrier’s network instead.

The malware then fetches a list of premium subscriptions. If the victim’s mobile carrier supports any of them, it uses JavaScript code to automatically click the corresponding HTML elements to subscribe to a service. Since duplicate subscriptions aren’t allowed, the malware even uses cookies to ensure they don’t visit duplicate pages. 

As some carriers require additional verification, several such malware also captures the victim’s SMS inbox, looking for threads that indicate an OTP, capture it, and then feeding it back to the service provider hence completing the process. 

The last step in the attack chain is to disable any SMS notifications the victim might get after subscribing to such services. This can be done using the following three functions.

  • cancelAllNotifcations(): Tells the notification manager to dismiss all notifications.
  • cancelNotification(key): Tells the notification manager to dismiss notifications from a particular app or a single notification.
  • cancelNotifications(keys): Tells the notification manager to dismiss multiple notifications simultaneously. 

Protection against such malware depends on the permissions users give each app and the source of their apps. Microsoft recommends not giving an app SMS or Notification access unless required. Additionally, ensuring that you only get apps from the Google Play Store and checking the notification requirements before hand is also a good idea.

In the News: Indian mercenary hackers are swaying global lawsuits

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: