The Microsoft 365 Defender Team says there’s an increase in the popularity of malware that could sign to premium services without knowing. The attack is very complex but there are many ways for malware to perform.
To begin with, the applications that carry malware are typically identified by the term “toll fraudulent apps” and employ “dynamic loaders” to execute the attack. The malware allows you to subscribe to a premium service by using your monthly telecom bill. Then, you are required to pay for the service.
The malware is only effective through using the so-called WAP (wireless application protocol) that is used by mobile networks. That’s the reason some variants of the malware can disable your Wi-Fi , or simply wait for you to move out of Wi-Fi coverage.
This is where the dynamic code loading is in the picture. The malware then enrolls you to a service running in the background, and reads the OTP (one-time password) you could receive prior to signing up, and then fills in the OTP field for you and hides the message to hide its footprints.
The positive side is that the malware is distributed largely beyond Google Play because Google restricts the use of dynamic loading by applications. Be cautious and be sure to avoid sideloading Android applications.