Manipulated website buys abo for 3rd-party services on my mobile-providerLT

xundeenergie

Sorry... the image-links do not work in case of CSP-Header... and i can not edit the posting anymore.

de0u

xundeenergie It is likely possible to post the images via something like imgur, or put them in Proton Drive, and post links here.

xundeenergie

I posted them via https://img.adminforge.de/ and one via my nextcloud and a public link.

I can try it via imgur too... but i don't like this information in imgur... so i prefer privacy respecting services.

xundeenergie

Now i called the phone-provider. The lady on the line told me, such things happens often. And i have to call to the scammer to get my money back...

But i don't understand, how it can happen, that vanadium sends a purchasing sms from a manipulated website.

The manipulated website is https:// ulrike-trebesius dot de
I write the url in that way, so no one can click it accidentially.
Now this website is blocked by cloudflare. Last night it got redirected to a malicious site. And somehow it was possible, that a short message was sent from the GOS-Phone triggered by this website.

Vanadium has/had no permissions for phone-calls and sms. Only Network, Notifications ans Sensors permissions were given.

dc32f0cfe84def651e0e

xundeenergie Now i called the phone-provider. The lady on the line told me, such things happens often. And i have to call to the scammer to get my money back...

Submit a formal complaint by both your carrier and the customer rights' protection institution in your country. It is between you and your carrier, a third party has nothing to do here.

chinook

So, if I read it right, your wife fell victim to a scammer, and somehow this is GOS fault?

But i don't understand, how it can happen, that vanadium sends a purchasing sms from a manipulated website

It seems that in the initial message you said:

And she came to me, showing me the phone. She had closed the website and told me "something weird happened. So i closed this site".

So we don't even know what happened and it's still GOS fault?
I smell stale water and leaves (;

xundeenergie

Is WAP_Billing https://en.wikipedia.org/wiki/WAP_billing possible on grapheneOS an vanadium?
It looks like, this could be the reason for this problem.
And if it's possible... how can the confirmation for the billing be pressed automatically from the browser, without action from the user?

Novalissoide

xundeenergie it wasn't 'pressed automatically in the browser' from what you describe.

xundeenergie

Novalissoide
i told:
my wife just opened a website and closed the tab in case it looked strange and not what she was looking for. And then the she received a confirmation-sms about the purchase.
NO click after the websearch. The purchase happened only on opening the website.

xundeenergie

I found this document
marktwaechteruntersuchung-der-unbekannte-dritte.pdf

On page 11 I found this:

Auch die Bundesnetzagentur konnte entsprechend un-
seriöse Geschäftspraktiken dokumentieren. So antwor-
tete sie auf eine kleine Bundestagsanfrage, „dass [in
den nachgewiesenen Fällen] alleine der Aufruf einer In-
ternetseite im mobilen Internet ausreichte, um eine ent-
sprechende Abrechnung auszulösen.“

Which means in english:

The Federal Network Agency was also able to document
dubious business practices. In response to a minor inquiry from the Bundestag, it stated that “in the proven cases, simply visiting a website on the mobile internet was sufficient to trigger a corresponding charge.”

Now i'm still asking, why is this possible in grapheneos + vanadium?

MineralWater

It's neither the fault of Graphene OS, nor of Stock Android or whatsoever...

Those phone billing services are unrelated to the OS, they are running on the backend of your phone provider.

In Germany most providers (if not all) disable third party billing and the customers have to enable it actively.

Should be the same in most EU countries.

You can disable it for free on your provider website when logged in as a customer.

Some people activate it to pay in Play Store or pay for music streaming etc.

So again, this is something that is on your phone providers site. The OS can't tell if a payment is fraudulent or willfully.

If you don't want this to happen, disable third party services for your phone number in your customer account.

xundeenergie

MineralWater

i've deactivated those 3rd-party services in her settings on the phone-providers customer-zone after that. I'm not sure, it's many years ago... when she bought her new contract on this provider, i think i disabled that stuff all. But I'm not sure.

It was enabled at all (or again?)
But again... Normally you need a click to activate such a purchase. In this case, no click was done and neccessary... only opening the website did the purchase.

And this happens in vanadium on grapheneOS. So, this is, why i'm asking here and not somewhere else.

Is there no possibility to harden vanadium against such attacks? Or deploy permissions for WAP_billing to the browsers and other apps?
Is the only way to disable this on my mobile network settings on the phone-provider settings?

Watermelon

xundeenergie I need to know, what i have to do now. How can i find out, if there is really malware installed?
Is it enough to reset the browser?
Or should i reinstall grapheneOS from scratch?

There's absolutely no need to reinstall GrapheneOS. There's a feature intended to be used instead: verified boot. A simple reboot is all you need to regain trust in the installed operating system. I recommend you to check her phone with the Auditor app. Examine the Auditor app's results, check that the reported security patch level is up-to-date, and that all other reported values match your expectations. There should be no device admin apps and no accessibility granted apps, as these are incredibly dangerous permissions. If there are, try to disable them, and then use the Auditor app again to ensure they've been disabled.

You can set dynamic code loading via memory to restricted on the Vanadium app. This will make the in-browser JIT toggle lack effect. There's no more need to enable JIT just for enabling WebAssembly in the newest Vanadium version, as they've recently enabled JIT-less support for WebAssembly. You can try rebooting the device after setting the exploit protection setting as I suggested, if you want to make sure that things are applied properly. And of course, make sure that Vanadium is up-to-date in the GrapheneOS App Store.

Edit: Which app is set as her default wallet app?

xundeenergie

Watermelon
Thank you for this information. This is, what i wanted. Really thank you!!!

The auditor-app gives me good results. All "no" except "Main user account" is "yes"

There is no default wallet app. We both do not use paying with our mobile phones. So i've nothing configured.

I enabled now the exploit protection and rebooted the device.
And auto update is enabled, so it's on the last patchlevel.

MineralWater

xundeenergie

If you are in Germany you can report this to the Bundesnetzagentur

https://www.bundesnetzagentur.de/DE/Vportal/TK/Aerger/Faelle/Drittanbieter/start.html

If there wasn't any redirect you don't have to pay this.

xundeenergie

I'm in austria.
I think, i have to report it to the RTR.
https://www.rtr.at/TKP/was_wir_tun/telekommunikation/konsumentenservice/schlichtungsverfahren/TKKS_Schlichtung.de.html

dc32f0cfe84def651e0e

This is why it is important to use VPN.

MineralWater

dc32f0cfe84def651e0e

A VPN won't help. The billing is connected to a phone provider. When you got a sim or esim in your phone, the billing can be started.

Only way to prevent this is blocking third party billing or not having a sim at all.

dc32f0cfe84def651e0e

MineralWater It will. The billing provider will see connection from VPN IP, not the internal connection from the carrier side.

MineralWater

dc32f0cfe84def651e0e
That is not how this billing process works. It's tied to the telephone number on the sim, the billing process is handled via the cell network.

The IP is completely unimportant here.

xundeenergie

I did some more checks.

My wife opened
ulrike-trebesius.de/
This site was hacked and redirects to:
expandwhomjackal.com/
The next site in the browser-history is
opticks.dimoco.me
which is marked as "Loading" in the browser history. And then finally the next site auto-opened was:
ua.forward-tv.live

And the abo which was automatically purchased is from "forward TV"

And what i've seen in my pihole (have a lot of blocklists loaded. especially for fraud/malware/spam/scam-sites. And the first one "expandwhomjackal.com" would be blocked by the pihole...
so obviously she was not in the WLAN at this moment.
And the vpn was already not configured at this moment, because i had no time before. The phone is very new. Just a few days here.

Yes... in this case a VPN or the wland would have protect my wife from this attack...

de0u

xundeenergie I am by no means an expert on WAP billing fraud... but can it be done via JavaScript code in a browser? For example, this ZDNet article seems to suggest a malicious app may be required.

de0u

xundeenergie I see some AOSP code in frameworks/base/packages/WAPPushManager related to receiving "WAP push" messages via SMS, but it doesn't appear to be built in GrapheneOS.

This is a recent-ish article from Microsoft describing how a malicious Android app might invoke WAP billing without a click: "Toll fraud malware: How an Android application can drain your wallet".

This article in a similar vein from 2017 ("WAP-billing Trojan-Clickers on rise") suggests that without an app it is necessary for a malicious web site to redirect to a carrier's web site and for the user to press a button on the carrier web site. Of course, new vulnerability pathways are uncovered from time to time.