WAPDropper malware hooks you up to premium telecoms services
Hackers have incorporated machine learning into a strain that subscribes victims to legitimate services provided by telecoms firms
A newly discovered malware strain has been identified in the wild that unwittingly registers victims for premium services provided by legitimate telecoms firms.
Named WAPDropper, the malware downloads and executes a payload, dropping a wireless application protocol (WAP) premium dialer which subscribes its victims to premium services in Thailand and Malaysia without their knowledge or consent.
The malware strain comprises two separate modules, according to Check Point Research, including a dropper module responsible for downloading the second-stage malware, and a premium dialer module that is responsible for the subscription element.
This campaign identified by the researchers subscribes users to premium services offered by legitimate telecoms providers in Thailand and Malaysia.
The scheme is centred on making calls to premium-rate numbers, which will, in turn, generate profit for the cyber criminals who collaborate with the owners of these particular phone numbers.
After the application is first installed on a device using third-party app stores, WAPDropper contacts the command and control server and receives the payloads to execute. This first payload is the premium dialer module, which opens a tiny web window and contacts premium services.
Once WAPDropper opens the landing pages, it’ll attempt to subscribe the victim to these services. Alarmingly, the process includes a mechanism that can bypass the CAPTCHA security requirement, which must be overcome to complete a transaction.
RELATED RESOURCE
How cyber attack simulations differ from penetration tests and vulnerability scanning
Exploring the Cymulate Edge
It’s at this stage that the operators deploy the services of Super Eagle, a Chinese firm that offers a machine learning tool for image recognition. When the malware submits the verification code image to the service, the platform returns the coordinate position of the recognition result in the image, then parses the coordinate simulation landing.
The malware also attempts to avoid detection by hiding its icon to prevent users from spotting it on their device and uninstalling the app. The malware also performs checks to determine whether the victim is using a proxy or virtual private network (VPN).
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
