The toll fraud method uses the ancient Wireless Application Protocol (WAP) protocol that connects you to the mobile Internet and that your carrier uses to charge you for legitimate services like Spotify or even HBO Max.

Upon disconnection from a Wi-fi network, the new malware opens a subscription page and fills in your details, including any one-time passwords that are needed.

This happens while text messaging services are temporarily disabled so you don't get any subscription notification until you get your monthly phone bill and get surprised.

The scam goes on for months until you notice. The Android malware is written in a way that it will look like an average service to the unsuspicious user, hiding behind unnecessary permissions.

Vole said that variants of toll fraud malware targeting Android API level 28 (Android 9.0) or lower disable the Wi-Fi by invoking the setWifiEnabled method of the WifiManager class.

“The permissions needed for this call are ACCESS_WIFI_STATE and CHANGE_WIFI_STATE. Since the protection level for both permissions is set to normal, they are automatically approved by the system.”

If an app that is designed to do something totally unrelated asks for text messaging permissions, say the researchers, this should immediately raise your level of suspicion.

The best way to avoid the new toll fraud Android malware, says Microsoft, is simply to run a phone with Android 10 or later.  Until Android 9, these types of apps could operate undetected.