MOSCOW - Kaspersky Lab researchers have discovered a rise in mobile Trojan clickers that are stealing money from Android users through WAP-billing . 

This is a type of direct mobile payment taken without any additional registration. This trend has not been observed for a while but in Q2 of 2017 it became surprisingly common, with thousands of affected users in different countries across the globe, mainly in India and Russia.
Wireless Application Protocol (WAP) billing has been widely used by mobile network operators for paid services and subscriptions for many years. This form of mobile payment charges costs directly to the user’s mobile phone bill, without the need for bank card registration or a sign-up process. A user is usually redirected to a different web page via a button, and offered a range of additional services. By clicking on it, the user activates a subscription, and his mobile account is charged. 

In this threat scenario, these actions can be easily implemented by a Trojan, which performs in secret and clicks on every page by itself. In addition, a simple registration of domains in a mobile operator’s billing system, allows fraudsters to relatively easy connect their website to a WAP-billing service. As a result, money from a victim's account flows directly to the hackers’ accounts. The most popular Trojan, belonging to the Trojan-Clicker.AndroidOS.Ubsod malware family, receives URLs from its command and control server and opens them. According to KSN statistics, this Trojan infected almost 8 000 infected users from 82 countries, in July 2017.

“We haven’t seen these types of Trojans for a while. The fact that they have become so popular lately might indicate that cybercriminals have started to use other verified techniques, such as WAP-billing, to exploit users. Moreover, a premium rate SMS Trojan is more difficult to create. It is also interesting that malware has targeted mainly Russia and India, which could be connected to the state of their internal, local telecoms markets. However, we have also detected the Trojansin South Africa and Egypt”, says Roman Unuchek, security expert at Kaspersky Lab.
 Kaspersky Lab advises users to prevent any malicious actions and to stay protected, to be attentive to apps installed on their devices, to avoid those from unknown sources, and to always keep their device updated with the latest security protection.