New WAPDropper malware abuses Android devices for WAP fraud


Protect Your Access to the Internet


Security researchers have detected a new strain of Android malware being currently distributed in the wild, primarily targeting users located in Southeast Asia.

Discovered by security firm Check Point, this new malware is named WAPDropper and is currently spread via malicious apps hosted on third-party app stores.

Check Point said that once the malware infects a user, it starts signing them up for premium phone numbers that charge large fees for various types of services.

The end result is that all infected users would receive large phone bills each month until they unsubscribed from the premium number or reported the issue to their mobile provider.

This type of tactic, known as “WAP fraud,” was very popular in the late 2000s and early 2010s, died out with the rise of smartphones, but made a comeback in the late 2010s as malware authors realized that many modern phones and telcos still supported the older WAP standard.

WAPDropper gang most likely based in SE Asia

Check Point says that based on the premium phone numbers used in this scheme, the malware authors are most likely based or collaborating with someone in Thailand or Malaysia.

“In this and similar schemes, the hackers and the owners of the premium rate numbers are either co-operating or could even be the same group of people,” the company said today in a report.

“It’s simply a numbers game: the more calls made using the premium-rate services, the more revenue is generated for those behind the services. Everybody wins, except the unfortunate victims of the scam.”

As for the malware itself, Check Point says WAPDropper operated using two different modules. The first was known as a dropper, while the second module was the component that performed the actual WAP fraud.

The first module was the only one packed inside the malicious apps, primarily to reduce the size and fingerprint of any malicious code inside them. Once the apps were downloaded and installed on a device, this module would download the second component and start defrauding victims.

But Check Point also wants to raise a sign of alarm about this particular piece of…