Looking back ahead – WAP-billing in modern Android malware


Everyone who has been tricked into purchasing a subscription via their mobile device knows how frustrating, expensive and tedious it can be to get out of it. A newly discovered malware is capable of purchasing dozens of those subscriptions without the user’s knowledge or consent, resulting in a nasty surprise when the next monthly invoice arrives.

WAP billing is not new

Those subscription models have been a popular and lucrative business models for more than a decade. For some time, those subscriptions were marketed very aggressively on TV music stations. You sent a text message with a certain word to a phone number and you pay on a weekly basis via your invoice in return for ringtones, wallpapers, horoscopes and the like. It was not always evident that you actually purchased a subscription, though. This resulted in some harsh criticism from consumer advocates.

This method called „WAP billing“ is still in use today as a payment method for services or for charity donations. Effectively, you pay with your phone number. You can either send a text message with a keyword to a certain number or you enter your mobile number on a website.

What is WAP?

WAP stands for Wireless Access Protocol and describes a collection of technologies which are a precursor to today's mobile internet services. In the late 90s, devices appeared on the market which were able to access the internet via WAP. Among other things, MMS services are also based on WAP. The traffic was usually paid for on a per-click basis. It could also be used for payment services, often to the dismay of those who unwillingly accessed premium services. In some countries, carriers now redirect requests to a website which informs them that they are about to access a premium service. The user can then make a decision to either continue and purchase the service or to abort the process. 

Abuse in malware

Both methods are used by a new piece of Android malware which is hidden in an app which claims to „optimize“ your mobile phone’s battery. In the background, though, the app accesses various websites and automatically purchases subscriptions. As a user you will not learn about this until the next monthly invoice arrives. Of course, providers of such subscription services are forced to make an effort to prevent abuse. Usually, whenever a subscription is purchased the customer needs to solve a CAPTCHA or enter a confirmation code, which was received via text message. The Xafecopy malware circumvents those measures by simulating keystrokes and transmitting them in the background. That way, the malicious app can theoretically purchase an unlimited number of subscriptions.

There are clear indications that the malware originates from Asia.

How to protect yourself

  1. Check the permissions which an app requests and ask yourself whether or not a particular permission makes sense in the context of the app. Why should a battery optimization app require the permission to send messages to a premium service number?
    Current versions of Android allow you to revoke certain permissions after installation, but those considerations should really be made before downloading any suspicious app.
  2. Ask your carrier to block access to premium services. This makes it impossible for malware to drain your bank account by purchasing unwanted subscriptions.
  3. Install a good malware protection on your mobile device

Further information

If you would like to know more, you can download the full analysis by clicking the preview below.