Manipulated website buys abo for 3rd-party services on my mobile-providerLT

Watermelon

xundeenergie I need to know, what i have to do now. How can i find out, if there is really malware installed?
Is it enough to reset the browser?
Or should i reinstall grapheneOS from scratch?

There's absolutely no need to reinstall GrapheneOS. There's a feature intended to be used instead: verified boot. A simple reboot is all you need to regain trust in the installed operating system. I recommend you to check her phone with the Auditor app. Examine the Auditor app's results, check that the reported security patch level is up-to-date, and that all other reported values match your expectations. There should be no device admin apps and no accessibility granted apps, as these are incredibly dangerous permissions. If there are, try to disable them, and then use the Auditor app again to ensure they've been disabled.

You can set dynamic code loading via memory to restricted on the Vanadium app. This will make the in-browser JIT toggle lack effect. There's no more need to enable JIT just for enabling WebAssembly in the newest Vanadium version, as they've recently enabled JIT-less support for WebAssembly. You can try rebooting the device after setting the exploit protection setting as I suggested, if you want to make sure that things are applied properly. And of course, make sure that Vanadium is up-to-date in the GrapheneOS App Store.

Edit: Which app is set as her default wallet app?

xundeenergie

Watermelon
Thank you for this information. This is, what i wanted. Really thank you!!!

The auditor-app gives me good results. All "no" except "Main user account" is "yes"

There is no default wallet app. We both do not use paying with our mobile phones. So i've nothing configured.

I enabled now the exploit protection and rebooted the device.
And auto update is enabled, so it's on the last patchlevel.

xundeenergie

MineralWater

i've deactivated those 3rd-party services in her settings on the phone-providers customer-zone after that. I'm not sure, it's many years ago... when she bought her new contract on this provider, i think i disabled that stuff all. But I'm not sure.

It was enabled at all (or again?)
But again... Normally you need a click to activate such a purchase. In this case, no click was done and neccessary... only opening the website did the purchase.

And this happens in vanadium on grapheneOS. So, this is, why i'm asking here and not somewhere else.

Is there no possibility to harden vanadium against such attacks? Or deploy permissions for WAP_billing to the browsers and other apps?
Is the only way to disable this on my mobile network settings on the phone-provider settings?

MineralWater

xundeenergie

If you are in Germany you can report this to the Bundesnetzagentur

https://www.bundesnetzagentur.de/DE/Vportal/TK/Aerger/Faelle/Drittanbieter/start.html

If there wasn't any redirect you don't have to pay this.

xundeenergie

I'm in austria.
I think, i have to report it to the RTR.
https://www.rtr.at/TKP/was_wir_tun/telekommunikation/konsumentenservice/schlichtungsverfahren/TKKS_Schlichtung.de.html

dc32f0cfe84def651e0e

This is why it is important to use VPN.

MineralWater

dc32f0cfe84def651e0e

A VPN won't help. The billing is connected to a phone provider. When you got a sim or esim in your phone, the billing can be started.

Only way to prevent this is blocking third party billing or not having a sim at all.

dc32f0cfe84def651e0e

xundeenergie Now i called the phone-provider. The lady on the line told me, such things happens often. And i have to call to the scammer to get my money back...

Submit a formal complaint by both your carrier and the customer rights' protection institution in your country. It is between you and your carrier, a third party has nothing to do here.

dc32f0cfe84def651e0e

MineralWater It will. The billing provider will see connection from VPN IP, not the internal connection from the carrier side.

MineralWater

dc32f0cfe84def651e0e
That is not how this billing process works. It's tied to the telephone number on the sim, the billing process is handled via the cell network.

The IP is completely unimportant here.

xundeenergie

I did some more checks.

My wife opened
ulrike-trebesius.de/
This site was hacked and redirects to:
expandwhomjackal.com/
The next site in the browser-history is
opticks.dimoco.me
which is marked as "Loading" in the browser history. And then finally the next site auto-opened was:
ua.forward-tv.live

And the abo which was automatically purchased is from "forward TV"

And what i've seen in my pihole (have a lot of blocklists loaded. especially for fraud/malware/spam/scam-sites. And the first one "expandwhomjackal.com" would be blocked by the pihole...
so obviously she was not in the WLAN at this moment.
And the vpn was already not configured at this moment, because i had no time before. The phone is very new. Just a few days here.

Yes... in this case a VPN or the wland would have protect my wife from this attack...

de0u

xundeenergie I am by no means an expert on WAP billing fraud... but can it be done via JavaScript code in a browser? For example, this ZDNet article seems to suggest a malicious app may be required.

de0u

xundeenergie I see some AOSP code in frameworks/base/packages/WAPPushManager related to receiving "WAP push" messages via SMS, but it doesn't appear to be built in GrapheneOS.

This is a recent-ish article from Microsoft describing how a malicious Android app might invoke WAP billing without a click: "Toll fraud malware: How an Android application can drain your wallet".

This article in a similar vein from 2017 ("WAP-billing Trojan-Clickers on rise") suggests that without an app it is necessary for a malicious web site to redirect to a carrier's web site and for the user to press a button on the carrier web site. Of course, new vulnerability pathways are uncovered from time to time.

23Sha-ger

xundeenergie Something downloaded and run by the browser could gather information about the phone-number and do a 3rd-party purchase from the browser.

Nothing like this happened unless you have some sort of autofill
in Vanadium, and then it will ask you to fill a form with data that
is available, such as name, phone, address, ZIP.

This cannot happen without consent.
Rest assured that a real vulnerability in Chromium that allows
to install unwanted software (remote code execution) is sold
for very large amounts, so no one will waste this to hack some
website and make unathorized fraud whatsoever.
Call your carrier and reverse the charge for whatever crap you
clicked on, and block billing and premium numbers/SMS.

xundeenergie

23Sha-ger
There is bitwarden password-manager installed. But it askes on every call from the browser to be unlocked manually.
No other autofill is configured in vanadium. It's standard installation.

Did i understand this correctly? Three possible ways:

a malicious app did the thing
a undocumented or unfixed vulnerability in chromium/vanadium which allows RCE
some attack on the phone explicitly with software, that can use such vulnerabilities

I called my phone-provider. And we get back the money (got the message today)

But... verified boot it enough to retrust the phone? If some remote code execution happened... i do not trust the phone any more...
for WAP billing a consent is mandatory.
My wife did not consent to anything, but the purchase was done.
So something else clicked the consent after opening a hacked website... what clicked it?

de0u

xundeenergie Did i understand this correctly? Three possible ways:

a malicious app did the thing

a undocumented or unfixed vulnerability in chromium/vanadium which allows RCE

some attack on the phone explicitly with software, that can use such vulnerabilities

Without video of an incident and an inventory of all installed apps it's hard to say. It is not clear those are the only options. In theory there might be an unknown vulnerability in some non-malicious installed app.

fernlike

xundeenergie Did i understand this correctly? Three possible ways:

a malicious app did the thing

a undocumented or unfixed vulnerability in chromium/vanadium which allows RCE

some attack on the phone explicitly with software, that can use such vulnerabilities

Or your wife accidentally tapped on the screen while on the malicious website. If all it takes is one click to approve a WAP billing purchase, then it would be super easy to do it without noticing. Especially if the button was disguised or invisible and covering the whole webpage (unless Vanadium protects against such things).

My point is that human error is almost always the most likely cause when there is a security breach.

Semiconductor

Hello xundeenergie,
When I first read your initial post, my though was "technically, this cannot be possible".
But after searching a bit on the internet, it looks to me as if not your wife's phone was compromised (nor is the browser), but she landed on a fraudulent website that uses so called "Clickjacking".
Apparently these companies abuse the option to buy additional services on your mobile phone by getting charged on your monthly mobile phone bill.
As you are from Austria, maybe this link is of interest for you:
https://www.verbraucherzentrale.de/wissen/digitale-welt/mobilfunk-und-festnetz/drittanbietersperre-schutz-vor-ungewollten-abos-12613
Normally, if such a company (in German they are called "Drittanbieter", not sure whether in English you call it "3rd Party provider" or something like that?) want to sell you something by charging your mobile phone bill, they explicitly have to ask you for your consent ("are you sure?").
What apparently happens is, that they camouflage the window "click here for useless subscription for insane amount" with an overlay, that may for instance look exactly like a utube video playback window. As the feedback dialogue ("are you sure"?) may be suppressed, by clicking twice (because the video playback did not start for obvious reason) you already have "signed a contract" without noticing it.
Interestingly, many of the subscriptions offered by those questionable companies, ccording to the Internet basically are useless as they do not offer any value added service that is worth it. So it seems their primary goal is to get other people's money.
I have to thank you for sharing this topic. I logged into my Mobile provider account and checked the section "Drittanbieter" (3rd party payment provider) and now have disabled (almost) all of them. At T-Mobile you can blacklist them all, whitelist some specifically or check for every 3rd party payment provider individually. In case of doubt, disabling this service in general seems a good idea to me. Looking at the long, long list of these companies over there brings me to the impression, that this is still a sort of lucrative backdoor at many mobile provider.
If anyone has further/different information feel free to share. To me it looks as if fraudulent 3rd party payments still are a thing in nowadays.

avaluedcustomer

Semiconductor I have to thank you for sharing this topic. I logged into my Mobile provider account and checked the section "Drittanbieter" (3rd party payment provider) and now have disabled (almost) all of them.

Same here. The post got me to check this.
Interesting enough, my provider (in Germany) has disabled this permanently with no option to enable it at all.

I guess they simply don't want to deal with any problems that stem from this way of paying (e.g. precisely the situation the OP ran into)

« Previous Page