If you believe you may have been affected by WAPDropper malware, you should first uninstall any suspicious applications and inspect your billing records to identify any unusual patterns.
We’ve come across our fair share of malware in the past that fraudulently subscribes users to in-app purchases on smartphones and other services. In the latest, researchers from Checkpoint have discovered a similar malware named WAPDropper.
The malware makes users subscribe to premium phone numbers in what is known as International Revenue Share Fraud (IRSF). This incurs a heavy cost on a user’s wallet affecting them financially.
How the user is infected initially is by downloading an already infected app. Once the malware takes its place on the user’s device, it has the ability to install and execute additional malware through its dropper module.
On the other hand, the second module of the malware known as the premium dialer is responsible for unauthorizedly subscribing users to premium-rate numbers “offered by legitimate sources” which in this case happen to be telcos based in Thailand and Malaysia.
Explaining, the researchers state in their blog post that,
After installation, WAPDropper contacts its Command and Control (C&C) server and then downloads the premium dialer module, which opens a tiny web-view screen, and contacts premium services offered by legitimate telecom companies.
During the course of the subscription process, a captcha may appear which according to the researchers is subverted by employing AI services of a Chinese company named Super Eagle.
To conclude, if you believe you may have been affected, you should first uninstall any suspicious applications and inspect your billing records to identify any unusual patterns. If found, immediately contact your banking service providers to see if the charges can be reversed.
In the future, you should not download any app from third-party stores excluding those of Apple, Google, or Microsoft, and also avoid apps with a low number of reviews and bad ratings. This though of course is not foolproof but a good measure nonetheless.