Kaspersky researchers have observed fraudsters actively spreading Trojans, which secretly subscribe users to paid services, disguised as various different mobile apps, including popular games, healthcare apps, and photo editors. Most of these Trojans request access to the user’s notifications and messages so that the fraudsters can then intercept messages containing confirmation codes.
Users aren’t knowingly subscribing to these services but are, rather, falling victim to carelessness. For instance, a user fails to read the fine print and, before they know it, they’re paying for a horoscope app. These victims often don’t realize these subscriptions exist until their mobile phone account runs dry earlier than expected.
According to Kaspersky researchers, the most widely spread Trojans that sign users up for unwanted subscriptions are:
Trojans from the Trojan.AndroidOS.Jocker family can intercept codes sent in text messages and bypass anti-fraud solutions. They’re usually spread on Google Play, where scammers download a legitimate app from the store, add malicious code to it, and then re-upload it under a different name. In most cases, these trojanized apps fulfill their purpose and the user never suspects that they’re a source of threat.
So far in 2022, Jocker has most frequently attacked users in Saudi Arabia (21.20%), Poland, (8.98%), and Germany (6.01%).
MobOk is considered the most active of the subscription Trojans with more than 70% of mobile users encountering these threats. MobOk Trojan is particularly notable for an additional capability that, in addition to reading the codes from messages, enables it to bypass CAPTCHA. MobOK does this by automatically sending the image to a service designed to decipher the code shown.
Since the beginning of the year, MobOk Trojan has most frequently attacked users in Russia (31.01%), India (11.17%), and Indonesia (11.02%).
Vesub Trojan is spread through unofficial sources and imitates popular games and apps, such as GameBeyond, Tubemate, Minecraft, GTA5, and Vidmate. This malware opens an invisible window, requests a subscription, and then enters the code it intercepts from the victim’s received text messages. After that, the user is subscribed to a service without their knowledge or consent.
Most of these apps lack any legitimate functionality. They subscribe users as soon as they are launched while victims just see a loading window. However, there are some examples, such as a fake GameBeyond app, where the detected malware is actually accompanied by a random set of functional games.
Two out of five users who encountered Vesub were in Egypt (40.27%). This Trojan family has also been active in Thailand (25.88%) and Malaysia (15.85%).
Unlike the Trojans mentioned above, this one does not subscribe victims to a third-party service – instead, it uses its own. Users end up subscribing to one of these services by simply not reading the user agreement carefully. For example, there are apps that have recently spread intensively on Google Play, offering to tailor personal weight-loss plans for a token fee. Such apps contain small print mentioning a subscription fee with automatic billing. This means money will be deducted from the user’s bank account on a regular basis without needing any further confirmation from the user.
To stay protected, Kaspersky experts also recommend:
- Check the permissions of the apps you’re using and thinking carefully before granting additional permissions.
- Use a reliable security solution to help detect malicious apps and adware before they achieve their goals.
- Update your operating system and any important apps as and when updates become available. Many safety issues can be solved by installing the updated versions of software.