Microsoft Warns Of A Dangerous Android Malware Called ‘Toll Fraud’

Microsoft has warned of malware called ‘toll fraud’ which is targeted at Android users via the Google Play Store. The company has described the malware as one disguised as normal apps on the Google Play Store, once installed, it drains the wallets of unsuspecting users. Microsoft further explains that toll fraud malware is a subcategory of billing fraud in which users are subscribed to premium services of the malicious applications without their knowledge or consent. 

This toll fraud malware is a type of malware that has been identified to be one of the most prevalent types targeted at Android users. Compared to other subcategories of billing fraud, which can occur as SMS fraud and call fraud, toll fraud exhibits more unique behaviours. Over the years this type of malware has continued to evolve thereby utilizing various approaches and social engineering. While SMS fraud or call fraud utilizes a simple attack flow to send messages or place calls to user numbers, toll fraud utilises a more complex approach, with multiple flows of steps that malware developers continue to identify and improve.

Microsoft explains how the malware operates in a blog saying, ”We saw new capabilities related to how this threat targets users of specific network operators. It performs its routines only if the device is subscribed to any of its target network operators. It also, by default, uses the cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available.” The blog post further explains that “Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user’s consent, in some cases even intercepting the one-time password (OTP) to do so. It then suppresses SMS notifications related to the subscription to prevent the user from becoming aware of the fraudulent transaction and unsubscribing from the service,” the company added. 

Microsoft has identified possible ways this malware gets on phones of Android users.

1. This attack starts by downloading apps the malware is disguised as in the Google Play Store.
2. These trojan apps are usually listed in popular categories in the app store such as personalization (wallpaper and lock screen apps), beauty, editor, communication (messaging and chat apps), photography, and tools (like cleaner and fake antivirus apps).
3. The researchers say that these apps will ask for permissions that don’t make sense for what is being done (i.e. a camera or wallpaper app asking for SMS or notification listening privileges).

How to keep your device secured and stay from the malware

Microsoft has identified high financial loss as the main impact of the toll fraud malware. This is a result of its sophisticated cloaking techniques, that said, prevention from the side of the user plays a key role in keeping the device secure. According to researchers and cyber security experts,, avoiding the installing of Android applications from untrusted/ unverified sources and always following up with device updates. It also recommends that end-users take these steps to protect themselves from toll fraud malware:

1. Install applications only from the Google Play Store or other trusted sources.
2. Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it. These are powerful permissions that are not commonly needed.
3. Use a solution such as Microsoft Defender for Endpoint on Android to detect malicious applications.
4. If a device is no longer receiving updates, strongly consider replacing it with a new device.

About a month ago, Microsoft announced the release of the extended protection of its security product called Microsoft Defender. The security product is aimed at helping simplify personal device security and would have the ability to bring together various security elements right on a single dashboard. The Microsoft Defender antivirus product was initially built into Windows 10 and 11 primarily but it is now available to protect a wide range of devices, not just PCs running on Windows, macOS, iOS, and Android. Microsoft Defender for individuals is designed to protect devices and offers security tips that bridge any security gaps that may arise.