Security researchers warn of a new family of malware that is currently targeting cell phone users and quietly enrolling them in legitimate premium services.
Named WAPDropper, the malware is a multifunction dropper that can provide malware and uses machine learning technology to bypass CAPTCHA challenges that use image.
Cybersecurity Check Point spotted WAPDropper in a recent campaign and found that it was enrolling its victims in premium services from legitimate telecommunications providers in Malaysia and Thailand.
The malware analysis revealed that it has two modules, which can download and run other malware on a compromised device.
In the case of WAPDropper, there is a unit responsible for retrieving malware in a second step from the command and control server and another unit for obtaining the premium dialer.
The plan for scammers to make money is simple: many calls to premium numbers charge the victim's account.
According to Check Point, WAPDropper administrators use a common tactic, integrating malware into applications available from unofficial stores.
Once on the victim's device, the malware communicates with the command and control server (C2) to download the program that makes the premium calls.
In one technical reference , the researchers report that the malware activity starts with collecting details from the infected device:
- Device ID
- MAC address
- Subscriber ID
- Device model
- List of all installed applications
- List of services running
- Top activity package name
- The screen is on
- Notifications for this application are enabled
- This application can design overlays
- Amount of free storage available
- Total amount of RAM and available RAM
- List of applications outside the system
Then a web viewer starts to load landing pages for premium services and make a subscription.
If there is a CAPTCHA that uses images, Check Point reports that WAPDropper uses the services of a Chinese company called "Super Eagle", which provides image recognition solutions based on machine learning technology.