Skip to content

Premium Deception Uncovering a Global Android Carrier Billin... #2260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Premium Deception Uncovering a Global Android Carrier Billin... #2260

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions src/mobile-pentesting/android-app-pentesting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,48 @@ Instead of custom sockets, some malware uses **Firebase Cloud Messaging (FCM)**

Native payloads can be delivered as encrypted ELF blobs and decrypted with `CipherInputStream()`, using a key **derived from SHA‑1 of the downloaded filename**. Each filename/version yields a distinct key, hindering static IOC reuse.

### Carrier-billing / premium-SMS fraud tradecraft

Some Android fraudware focuses on **charging the victim through the mobile operator path** instead of stealing banking credentials. The common pattern is to only activate when the SIM/operator matches a hardcoded or remotely supplied target list (**MCC/MNC / operator name / operator code**) and otherwise show benign content to reduce analyst exposure.

Typical workflow:
- Read telephony identifiers and **gate execution by operator/country**.
- If needed, **disable Wi‑Fi** so carrier portals see the victim coming from the mobile network.
- Open the carrier billing flow in a **hidden `WebView`** while the foreground UI shows unrelated content.
- Use JavaScript to press **Request OTP / Confirm** buttons and fill subscription forms.
- Capture the billing OTP with the **SMS Retriever API** or direct SMS access, then inject it into the hidden `WebView`.
- Fall back to **premium SMS** enrollment by sending keywords to short codes when the operator flow is SMS-based.
- Exfiltrate cookies, HTML, operator metadata, and conversion status to tune selectors and campaign analytics.

Interesting implementation details to hunt for during reversing:
- **Operator gating:** `TelephonyManager.getSimOperator()`, `getSimOperatorName()`, `getNetworkOperator()` plus hardcoded MCC/MNC lists.
- **Hidden WebViews:** off-screen/minimized `WebView` objects loading carrier URLs while the visible UI keeps the user distracted.
- **JS-driven fraud:** `evaluateJavascript(...)` / `loadUrl("javascript:...")` used to click billing buttons or populate TAC/OTP fields.
- **OTP interception without `READ_SMS`:** malware can abuse Google's [SMS Retriever API](https://developers.google.com/android/reference/com/google/android/gms/auth/api/phone/SmsRetrieverApi) to receive OTP-style messages that match the retriever flow.
- **Cookie theft:** `CookieManager.getInstance().getCookie(<billing_url>)` after loading the carrier page to reuse the WebView billing session.
- **Delayed SMS scheduling:** premium SMS sends spaced by 60-90 seconds to look less bursty and bypass anti-fraud heuristics.
- **Telemetry over public services:** Telegram Bot API or similar SaaS channels used as a lightweight install / send-status / operator-reporting backend.

Quick triage ideas:
```bash
rg -n 'getSimOperator|getNetworkOperator|SmsRetriever|startSmsRetriever|sendTextMessage|CookieManager|getCookie|setWifiEnabled|evaluateJavascript|javascript:' .
```

```javascript
Java.perform(() => {
const CM = Java.use('android.webkit.CookieManager');
CM.getCookie.overload('java.lang.String').implementation = function (url) {
console.log('[CookieManager] ' + url);
return this.getCookie(url);
};
});
```

Testing notes:
- Force different operator paths in the emulator/device by hooking `TelephonyManager` getters or patching Smali constants.
- Watch for **network changes** before the billing page is opened; toggling Wi‑Fi can be the signal that the malware needs the operator-authenticated path.
- If the sample keeps a benign page visible, inspect for **secondary/off-screen WebViews** and dump both the HTML and cookies after each carrier portal load.

### OEM system-app droppers and `customer.prop` root backdoors

Cheap Android TVs/projectors and other OEM devices sometimes ship with **privileged system apps** signed with **AOSP test keys** or an OEM platform key, plus **weak boot-property handling**. Treat these builds as both an Android-app and firmware target: the system app can act as a **dropper**, while insecure OEM partitions can turn **ADB over TCP** into a repeatable root backdoor.
Expand Down Expand Up @@ -1091,5 +1133,8 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
- [BeatBanker: A dual‑mode Android Trojan](https://securelist.com/beatbanker-miner-and-banker/119121/)
- [Pre-installed C2 Infrastructure and RAT Payload on Android Projectors](https://github.com/Kavan00/Android-Projector-C2-Malware)
- [Reverse-engineering pre-installed Android malware with Claude Code](https://zanestjohn.com/blog/reing-with-claude-code)
- [Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign](https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign)
- [SmsRetrieverApi reference](https://developers.google.com/android/reference/com/google/android/gms/auth/api/phone/SmsRetrieverApi)
- [Android `CookieManager` reference](https://developer.android.com/reference/android/webkit/CookieManager)

{{#include ../../banners/hacktricks-training.md}}