A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.
Performing SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.
Malicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.
On iOS, apps cannot send SMS messages.
On Android, apps must hold the
SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers .
Application vetting services can check for applications that request SMS permissions, and can provide extra scrutiny to those that do.
|M1006||Use Recent OS Version||
Starting with Android 4.2 the user must provide consent before applications can send SMS messages to premium numbers.
Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.
On Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.