Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Watch out, WAPDropper malware could subscribe you to premium services

Researchers spotted a new mobile malware dubbed WAPDropper that subscribes users to legitimate premium-rate services. Security researchers from Check Point have spotted a new malware family dubbed WAPDropper that targets mobile phone users to subscribe them to legitimate premium-rate services. Check Point experts observed the WAPDropper subscribing unaware users to premium services from legitimate telecommunications […]

WAPDropper

Researchers spotted a new mobile malware dubbed WAPDropper that subscribes users to legitimate premium-rate services.

Security researchers from Check Point have spotted a new malware family dubbed WAPDropper that targets mobile phone users to subscribe them to legitimate premium-rate services.

Check Point experts observed the WAPDropper subscribing unaware users to premium services from legitimate telecommunications providers in Malaysia and Thailand.

The WAPDropper malware also acts as a dropper and can deliver second-stage malware, one of its capabilities to bypass image-based CAPTCHA challenges using a machine learning service bases on Machine Learning.

The malware is composed of two modules, one responsible for fetching the second-stage malware from the C2 and another for getting the premium dialer component that subscribes the victims to legitimate premium services.

“The malware, which belongs to a newly discovered family, consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialer module that subscribes the victims to premium services offered by legitimate sources – In this campaign, telecommunication providers in Thailand and Malaysia.” reads the analysis published by Check Point.

The malicious code is distributed via third-party markets, upon installing the malicious code it contacts the C&C server and receives the payloads to execute.

The payload employed in this campaign is the premium dialer module, which opens a tiny web-view, and contacts premium services offered by legitimate telecom companies.

“WAPDropper then sends a request thread to the C&C server for the server to send an ad offer. After it receives an ad offer, the malware constructs a 1×1 pixel dialog which appears almost invisible, but actually contains a tiny web view.” continues the analysis.

The malware is able to collect details about the infected device, including the following information:

  • Device ID
  • Mac Address
  • Subscriber ID
  • Device model
  • List of all installed apps
  • List of running services
  • Topmost activity package name
  • Is the screen turned on
  • Are notifications enabled for this app
  • Can this app draw overlays
  • Amount of available free storage space
  • Total amount of RAM and available RAM
  • List of non-system applications

The malware initiates a webview component at one pixel to load the landing pages for the premium services and complete the subscription, with this trick the component is almost invisible on the screen.

Then WAPDropper attempts to subscribe the user to those services, and in case a CAPTCHA step is required to finalize the subscription it uses the ML services of “Super Eagle”, a Chinese company, to solve the challenge.

Even if in these attacks WAPDropper drops a premium dialer, in the future, it could be used to deliver any other kind of malicious payload.

WAPDropper

The recognize CAPTCHA capability is very interesting, the WAPDropper malware chooses whether to download the picture and send it to the C2, or to parse the DOM tree of the picture and send it to the “Super Eagle” service.
In the latter case, the ML-based service returns the coordinate position of the recognition result in the picture, and then parses the coordinate simulation landing.

The report published by Check Point also includes Indicators of Compromise (IoCs).

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]