CERT-In issues high severity alert on Xafekopy WAP billing trojan affecting Android smartphones

Once installed, the trojan disables the WiFi, and carries out subscribes to WAP (Wireless Application Protocol) services without the knowledge of the user.

The Indian Computer Emergency Response Team (CERT-In) has issued a high security alert on the Xafekopy trojan that affects Android smartphones. The malware is distributed under the guise of utility applications, typically an app to optimise the battery performance. Once installed, the trojan disables the WiFi, and carries out subscribes to WAP (Wireless Application Protocol) services without the knowledge of the user. WAP sites support carrier billing, and the trojan can result in financial loss to the affected users, without the user having to feed in any credit card information, or other details.

Image: SecureList

Image: SecureList

The transactions to subscribe to the WAP services do not need to be authenticated by the user, who may not even be aware of the activities of the trojan. The malware is capable enough to bypass captcha checks, to identify and filter out bots, or applications that work without a human being in control. Apart from subscribing to WAP services that shows up in the bill from the carrier, the trojan also automatically clicks on ads, earning money for the attackers in the process.

Precautionary measures suggested by CERT-In include not downloading and installing any applications from untrusted application stores, and keeping the "Untrusted Sources" box unchecked in the device settings. Users have also been advised to properly check the application privileges and evaluate if the permissions requested are aligned with the purpose of the application. CERT-In has also asked users to upgrade their Android devices periodically with the latest security patches. The Xafekopy trojan affects only Android smartphones.

also see