Premium SMS Toll Fraud

A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary[1].

On iOS, apps cannot send SMS messages.

On Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers [2].

ID: T1448

Tactic Type:  Post-Adversary Device Access

Tactic: Effects

Platform:  Android

Version: 1.1

Mitigations

MitigationDescription
Application Vetting
Use Recent OS VersionStarting with Android 4.2 the user must provide consent before applications can send SMS messages to premium numbers.[2]

Examples

NameDescription
MazarBOT

MazarBOT can send messages to premium-rate numbers.[3]

PJApps

PJApps has the capability to send messages to premium SMS messages.[4]

RedDrop

RedDrop tricks the user into sending SMS messages to premium services and then deletes those messages.[5]

Detection

Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.[2]

On Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.

References