Watch out, WAPDropper malware could subscribe you to premium services

Pierluigi Paganini November 25, 2020

Researchers spotted a new mobile malware dubbed WAPDropper that subscribes users to legitimate premium-rate services.

Security researchers from Check Point have spotted a new malware family dubbed WAPDropper that targets mobile phone users to subscribe them to legitimate premium-rate services.

Check Point experts observed the WAPDropper subscribing unaware users to premium services from legitimate telecommunications providers in Malaysia and Thailand.

The WAPDropper malware also acts as a dropper and can deliver second-stage malware, one of its capabilities to bypass image-based CAPTCHA challenges using a machine learning service bases on Machine Learning.

The malware is composed of two modules, one responsible for fetching the second-stage malware from the C2 and another for getting the premium dialer component that subscribes the victims to legitimate premium services.

“The malware, which belongs to a newly discovered family, consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialer module that subscribes the victims to premium services offered by legitimate sources – In this campaign, telecommunication providers in Thailand and Malaysia.” reads the analysis published by Check Point.

The malicious code is distributed via third-party markets, upon installing the malicious code it contacts the C&C server and receives the payloads to execute.

The payload employed in this campaign is the premium dialer module, which opens a tiny web-view, and contacts premium services offered by legitimate telecom companies.

“WAPDropper then sends a request thread to the C&C server for the server to send an ad offer. After it receives an ad offer, the malware constructs a 1×1 pixel dialog which appears almost invisible, but actually contains a tiny web view.” continues the analysis.

The malware is able to collect details about the infected device, including the following information:

  • Device ID
  • Mac Address
  • Subscriber ID
  • Device model
  • List of all installed apps
  • List of running services
  • Topmost activity package name
  • Is the screen turned on
  • Are notifications enabled for this app
  • Can this app draw overlays
  • Amount of available free storage space
  • Total amount of RAM and available RAM
  • List of non-system applications

The malware initiates a webview component at one pixel to load the landing pages for the premium services and complete the subscription, with this trick the component is almost invisible on the screen.

Then WAPDropper attempts to subscribe the user to those services, and in case a CAPTCHA step is required to finalize the subscription it uses the ML services of “Super Eagle”, a Chinese company, to solve the challenge.

Even if in these attacks WAPDropper drops a premium dialer, in the future, it could be used to deliver any other kind of malicious payload.

WAPDropper

The recognize CAPTCHA capability is very interesting, the WAPDropper malware chooses whether to download the picture and send it to the C2, or to parse the DOM tree of the picture and send it to the “Super Eagle” service.
In the latter case, the ML-based service returns the coordinate position of the recognition result in the picture, and then parses the coordinate simulation landing.

The report published by Check Point also includes Indicators of Compromise (IoCs).

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment