A newly discovered malware strain has been identified in the wild that unwittingly registers victims for premium services provided by legitimate telecoms firms.
Named WAPDropper, the malware downloads and executes a payload, dropping a wireless application protocol (WAP) premium dialer which subscribes its victims to premium services in Thailand and Malaysia without their knowledge or consent.
The malware strain comprises two separate modules, according to Check Point Research, including a dropper module responsible for downloading the second-stage malware, and a premium dialer module that is responsible for the subscription element.
This campaign identified by the researchers subscribes users to premium services offered by legitimate telecoms providers in Thailand and Malaysia.
The scheme is centred on making calls to premium-rate numbers, which will, in turn, generate profit for the cyber criminals who collaborate with the owners of these particular phone numbers.
After the application is first installed on a device using third-party app stores, WAPDropper contacts the command and control server and receives the payloads to execute. This first payload is the premium dialer module, which opens a tiny web window and contacts premium services.
Once WAPDropper opens the landing pages, it’ll attempt to subscribe the victim to these services. Alarmingly, the process includes a mechanism that can bypass the CAPTCHA security requirement, which must be overcome to complete a transaction.
RELATED RESOURCE
How cyber attack simulations differ from penetration tests and vulnerability scanning
Exploring the Cymulate Edge
It’s at this stage that the operators deploy the services of Super Eagle, a Chinese firm that offers a machine learning tool for image recognition. When the malware submits the verification code image to the service, the platform returns the coordinate position of the recognition result in the image, then parses the coordinate simulation landing.
The malware also attempts to avoid detection by hiding its icon to prevent users from spotting it on their device and uninstalling the app. The malware also performs checks to determine whether the victim is using a proxy or virtual private network (VPN).
-
Google CEO Sundar Pichai says vibe coding has made software development ‘exciting again’News Google CEO Sundar Pichai claims software development has become “exciting again” since the rise of vibe coding, but some devs are still on the fence about using AI to code.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Mobile app security is a huge blind spot for developer teams – 93% are confident their applications are secure, but 62% reported breaches last yearNews Organizations are overconfident about their mobile app security practices, according to new research, and it’s putting enterprises and consumers alike at risk.
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
