Carrier Billing Fraud

A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.

Performing SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.[1]

Malicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.[1]

On iOS, apps cannot send SMS messages.

On Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers [2].

ID: T1448
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
Version: 2.0
Created: 25 October 2017
Last Modified: 04 May 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
S0432 Bread

Bread can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.[1]

S0303 MazarBOT

MazarBOT can send messages to premium-rate numbers.[3]

S0291 PJApps

PJApps has the capability to send messages to premium SMS messages.[4]

S0326 RedDrop

RedDrop tricks the user into sending SMS messages to premium services and then deletes those messages.[5]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Application vetting services can check for applications that request SMS permissions, and can provide extra scrutiny to those that do.

M1006 Use Recent OS Version

Starting with Android 4.2 the user must provide consent before applications can send SMS messages to premium numbers.[2]

Detection

Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.[2]

On Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.

References