Premium SMS Toll Fraud

A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary[1].

On iOS, apps cannot send SMS messages.

On Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers [2].

ID: T1448
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platform: Android
Version: 1.1

Procedure Examples

Name Description
MazarBOT MazarBOT can send messages to premium-rate numbers. [5]
PJApps PJApps has the capability to send messages to premium SMS messages. [4]
RedDrop RedDrop tricks the user into sending SMS messages to premium services and then deletes those messages. [3]

Mitigations

Mitigation Description
Application Vetting
Use Recent OS Version Starting with Android 4.2 the user must provide consent before applications can send SMS messages to premium numbers. [2]

Detection

Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.[2]

On Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.

References