When a security researcher says that a new type of malware has been discovered, everyone’s first reaction must be whether the malware has done something bad, invaded the device to steal information, or infected the device to interfere with its use. However, the WAPDropper malware recently discovered by security researchers is different.
Yesterday, security researchers warned that a new family of malware targeting mobile phone users has been discovered that allows them to surreptitiously subscribe to legitimate premium dial-up services.
Could it be the “undercover” of the communication operator?
The WAPDropper malware is a versatile virus dropper that spreads second-stage malware and uses machine learning solutions to bypass the CAPTCHA challenge for images.
Multifunctional virus releaser
Cybersecurity firm Check Point discovered WAPDropper during a recent campaign, which lets targeted users subscribe to premium dial-up services from telecom providers in Malaysia and Thailand.
Analysis of the malware revealed that it has two modules, the functional module of the multi-function virus dropper, which can download and execute other malware on the infected device.
One of the modules of WAPDropper is responsible for obtaining the second stage malware from the command and control server, while another module is responsible for obtaining the advanced dialer component.
Aviran Hazum, mobile research manager at Check Point, said: “WAPDropper is really versatile. Currently, the malware has not changed the advanced dialer, but in the future, this payload may be able to change anything an attacker wants.”
Do you think this is the “silent love” of malware operators?not also
It is not difficult to profit from the malware, and the more users subscribe to the premium service, the more benefits the criminals who can identify or cooperate with special numbers can reap.
Bypass image captcha
According to Check Point, operators of WAPDropper use a common tactic of integrating malware into apps offered in unofficial stores.
Once inside the victim device, the malware reaches a command and control (C2) server to obtain an advanced dialer. In a technical report, the researchers said the initial malware campaign began by gathering detailed information about infected devices, including the following:
List of all installed applications
List of running services
Highest activity pack name
whether the screen is on
Whether notifications are enabled for this app
Can this app draw overlays
Amount of storage space available
Total amount of RAM and available RAM
List of non-system applications
Then start launching the Webview component to load the login page of the premium service and complete the subscription. At one pixel, the component is almost invisible on the screen.
Check Point said that if there is an image captcha challenge, WAPDropper uses a service from a company called “Super Eagle” that provides image recognition solutions based on machine learning technology.
Cracking the CAPTCHA test has been around for a long time, and it’s made easier by using a code specially created for this purpose and available online for free.
To bypass the image captcha, WAPDropper has two options: one needs to download the CAPTCHA image and send it to the server, the other needs to extract the DOM tree of the file and send it to the server of Super Eagle company, which provides machine learning based image recognition service.
According to Check Point, WAPDropper is distributed through unofficial Android stores, so users should try to download the software from official app stores to avoid contracting malicious viruses.