How Malware Apps Cause Unwanted Purchases in the Middle East and How to Protect Yourself Against Them

Malware apps containing Joker malware first hit the news in 2017 when they were used to steal personal data. Since then, they have continued to be used to collect personal data illegally and make payments without users’ consent. This is known as “trojan” software as it simulates clicks and generates One-Time-Passwords (OTP) codes to subscribe users to unwanted purchases such as Value-Added-Services (VAS) on their phones. This is then billed directly into their post-paid or pre-paid cell phone plans. Typically, malware apps claim to offer legitimate services such as wallpapers, quotes or games then perform malicious activity while users interact with the normal looking interface.

In 2020, 70% of the traffic presented to Empello’s fraud prevention solution FraudStop was blocked – this shows a high number of fraud in over 30 countries where the product is deployed. In 2021, we continued to see similar levels of blocked traffic via FraudStop with 64% blocked. This demonstrates that fraudulent traffic continues to constitute an obstacle for growth in the VAS industry while at the same time harming millions of people.

When looking deeper, we can see that the percentage of blocked traffic varies from country to country and we observe that some regions suffer more from in-app malware than others. Our experience shows that large amounts of high risk clicks correlate with high volumes of in-app traffic. Through manual testing by using physical phones, in 2021, we recorded a total of 1,372 auto-subscriptions. Whilst the figure of 1,372 auto-subscriptions may seem small globally, it is just the tip of the iceberg as one malware app that we download and try is downloaded by 100,000s of people and sometimes they reach a popularity of 1 million downloads. As a result, the number of auto-subscriptions we encounter in-market continues to grow year on year despite on-going efforts by the Google Play Store to stop malware getting into its apps catalogue.

In the next paragraphs, we will examine in detail what malware apps are and how they can harm customers. Moreover, we will look at the flawed role the OTP plays in the ecosystem. To support this, we will be looking at data from the Middle East and South Africa. Keep reading to know how to protect yourself from unwanted phone bill charges.

In 2021 in-app malware continues to defeat OTP protection measures

The following example illustrates how malware apps found on the Google Play Store can steal users personal data and charge them without consent:

Screen capture of malware apps

  1. Users download an app claiming to be a messaging service.
  2. The app interface is designed to resemble other messaging apps.
  3. Users are asked to agree to make this app the default messaging app – giving it access to contacts and calling services. Thanks to this interaction with the user, the Joker malware app is now able to steal the phone’s SMS information.
  4. After giving the app permission to access the phone’s information, the user received an SMS confirming their subscription to a VAS.

This type of billing fraud is a significant threat to millions of people. This can also result in a drop of confidence from the public in big brands like Google. However, the steep global upward trend in the number of auto-subscriptions is most prominent in the Gulf region despite the implementation of OTP flows to protect consumers. The most notable increase in auto-subscriptions occurred in Bahrain where the number of detected auto-subscriptions grew by 435% between 2020 and 2021. Saudi Arabia saw a 434% increase in auto-subscriptions. Oman also saw an increase of 305% in auto-subscriptions. Outside of the Gulf region, South Africa records most auto-subscription issues despite implementation of anti-fraud measures in Vodacom and MTN.

How can people protect themselves against unwanted purchases?

Update your phone and apps regularly

Almost every new software update includes important security fixes. These updates need to be done as soon as they are made available. Most smartphones will remind you when you need to update your software while most apps will notify you via the iOS App Store or Android Google Play store.

Use strong passwords

The more complex your password is, the harder it is to crack. Make sure you use a mix of lowercase and uppercase characters as well as numbers and symbols.

Set up two-factor authentication

In addition to a strong password, set up a two-factor authentication which is an extra verification step needed to login to your account. Usually, the authentication process will involve a code sent to your mobile phone by message which is then entered into the login page to authenticate you.

Download an antivirus on your mobile phone

A trusted antivirus app will keep your phone clean from viruses. It will also notify you of potential attacks on your phone.

Treat your phone number as a credit card

Are you aware that your phone number is enough to make payments? Yes, with one click you can be subscribed to paid services. It is important to treat your phone number as a credit card and keep it safe. If you are not sure why a website is asking for your phone number, then do not enter it.

Be careful of offers that are too good to be true

“Win a free iPhone by entering your phone number” – this sounds too good to be true. It is tempting to enter your phone number as there is nothing to lose. However, your phone number risk being subscribed to a paid service.

Do not trust websites offering free gaming coins or gems

Many fraudulent websites will be offering freebies and hacks to advance you in certain games. They would typically offer a huge number of coins, gems or even gift card vouchers. In exchange, they require you to complete a “human verification” by entering your phone number. This verification is a scam as it is a step to take your phone number and subscribe you to paid services.

Do not trust unverified brand or celebrity social media pages

Many fraudsters pose as a brand or celebrity on social media, typically using their images and their notoriety to scam people. Those scams usually offer free money. Their social media posts go viral as a step to get free money is to share their posts. The second step is to enter your phone number on a website.

Do not share offers that you deem too good to be true

It is tempting to invite your friends to take advantage of the latest “free iPhone giveaways” – but you are only making this scam (unknowingly) viral and putting other people at risk. Do not share any offers which sound too good to be true.

Do not download apps from untrusted sources

Some apps on Android may automatically download into your phone as an “apk” file, while you are browsing the web. Delete those files as soon as they download and do not open them. Moreover, apps downloaded from unofficial app stores are more likely to contain malware that risk subscribing you to services without your permission. As extra precaution, make sure you uncheck the “Install from unknown sources” option on Android.

Watch out for signs in your phone

In case your phone gets infected by app malware that could subscribe you to paid services without your permission, then look out for the following signs: your phone might be overheating, your battery dying quickly and your apps taking too long to load.

Always read your phone bill and check for suspicious charges

Reading your phone bill regularly will help you spot suspicious charges on your phone. Your credit might be disappearing on unwanted phone charges and your data usage will be higher than usual.

Clean your phone from unwanted apps hiding in your phone

Some apps have the capability to hide in your phone. They are neither visible on the homepage nor on the phone’s app settings. You can use our tool to find apps infected with malware that might pose a threat to you.

Read app reviews before downloading an app

When downloading apps from the App Store or the Google Play store, always read reviews written by other users. If an app is causing issues to someone, they are likely to complain about it on the reviews and warn other users.

#Malware apps containing Joker malware found on the Google Play Store can steal users' #personaldata and charge them without consent. In Bahrain, the number of detected auto-subscriptions grew by 435% between 2020 and 2021. #cybersecurity #respectdataClick to Tweet
Be careful when sharing your 3G hotspot

When sharing your 3G connection as a wifi hotspot from your phone, other users can use your phone number to subscribe to paid subscriptions. They might not do it on purpose but you will still be charged for those subscriptions. As precautionary measures, set out a strong password to your hotspot, only share with people you know and trust and disable your hotspot when not needed.


Director of Client Services at Empello