Kaspersky Lab researcher Roman Unuchek spotted an uptick in WAP-billing trojan-clickers from different cybercriminal groups targeting users in Russia and India.
The malware steals money from users using WAP-billing which is a mobile payment that charges costs directly to the user's mobile phone bill so that they don't have to register a payment card or set up login credentials, according to an 24 August blog post.
The scam payment is similar to premium rate SMS messages but instead of needing to send an SMS, the user only needs to click a button on a web-page enabled with WAP-billing. To the user, the page would look like a normal web-page.
Unuchek said the although the attack method has been around for some time there's been a surge of attacks suddenly appeared in different trojans used by different groups and that most of them had been under development since the end of 2016 and that their prevalence has increased in the second half of Q2 2017.
All of the trojans are distributed outside of the Google Play store and are masquerading as useful apps and being downloaded from malicious websites or ads, Unuchek told SC Media.
He added that he's seen more than 30,000 infected users since July 1st 2017, but said the actual number may be greater, since there are many people without antivirus solutions. The trojans basically steal a users money just by clicking on webpages.
“They are stealing less money than banking trojans, but it is harder for a user to notice the monetary loss,” Unuchek said. “There were cases when such trojans were stealing small amounts of money, every day, for months!”