Back to top

Malware responsible for airtime theft


Jenna Delport

Head-and-shoulders view of an African woman using her cell phone to text or research in a crowded cafe

Nearly 1.7 million mobile subscribers are infected with mobile malware in South Africa alone, reports 2019 data by mobile security company, Secure-D.

According to the company, malware is the main culprit responsible for airtime theft and mobile ad fraud evident in the country, with 18 000 instances found on South African users’ devices.

Mobile malware can either be downloaded on the device by the user via an app, or come pre-installed. Once activated on the device, mobile malware becomes part of a “botnet” (short for robot network) of infected devices. These botnets, networks of malware-infused devices, are being remote-controlled at scale by a “bot-herder”.

In the case of mobile ad fraud, the malicious application visits websites, clicks on banner ads and simulates a real person going through a subscription or other Direct Carrier Billing purchase processes. It even overrides a two-step authentication process, all the while remaining undetected by the user. The fraudsters’ goal is to claim pay-outs from advertisers for bogus traffic.

The result is unsolicited airtime charges with users being able to detect the early signs of malware infection when they see their mobile data plan being rapidly depleted with no apparent reason.

What is especially tricky about mobile malware is that it continues to operate without raising the suspicions of the user of the device.

Tricks include making sure the app functions well even when malware runs in the background or ensuring that excessive battery drain doesn’t occur. Some apps change their name after they have been downloaded or remain totally out of sight, meaning they cannot be found at the homepage of a device with an app icon.

The worst offending apps in the country from June to August 2020, according to Secure-D, are Shareit, a sharing app with cross-platform transfer speed and free online feeds including movies, videos, music, wallpapers, GIFs; Vivavideo, an app for editing photos and videos. It has been downloaded more than 100 million times worldwide, and Secure-D has blocked more than half a million fraudulent transactions originating from the app in South Africa alone; StatusSaver, an app that shows users’ statuses from four different apps and environments.

To avoid falling victim to unwanted purchases or lose pre-paid credit, Android users, in particular, should check their phones to see if they have any of the apps flagged as suspicious installed. If so, they should uninstall them immediately and review any new mobile airtime charges for possible fraud. ITNews Africa