Tricky toll fraud apps with 210k downloads are spreading through GooglePlay.

A few days ago, we found a toll fraud app on GooglePlay. This is a brief description for the toll fraud app.

How the toll fraud app works. The initial spotted app can be accessed via Janus. The app is tricky, that is, if the app is started by luncher, it works normally. But if the app is started via deeplink, the app changes the view and starts the subscription process.


Tips for analyzing include:

  • If the app is started from luncher, there is no subscription (Upgrade to premium button in the menu).
  • However, if the app is started via clicking an ad (by assumption), the app works different. We think this is the reason why the app bypassed GooglePlay’s vetting process and is still alive even if users complain about this app.
  • The app integrate the MobiBox third-party library for subscription (
  • The toll fraud app only works in limited country/region (Lebanon/South Africa by observation).
  • Disclaimer for subscription is controlled by developer.

Find more fraud apps in GooglePlay. We explore Janus by taking the signature of the subscription library, then we find 2 additional toll fraud apps on GooglePlay and 3 apps in Baidu App Market. Summary of these apps:

  • There are 210k downloads in total of these apps in GooglePlay.
  • These apps have hosted on GooglePlay for over 1 month.
  • Views of these apps are almost the same even though published by different developers and adhere different description.


Hash of the toll apps:

  • 128e96e48c707c90eb7a46a735505a26a8c04c91
  • 177fa46fa285522d50817f0937d892482a513bb0
  • c4f45ff297690069fa6f8075a72045f891f88252
  • d0b54ea39666fa861419af19504d61268ddb1fb3
  • de50aa590dc5725dd5a7f05c10bd7da60e43fafc
  • dfb182f6d277acc54a63a629794e4e2cba42dabc

Advices for GooglePlay:

  • Respect more end-user than vendor/developer.
  • Remove these apps immediately.
  • Invest these apps and the library, API_KEY in string.xml maybe helpful.

Leave a Reply

Your email address will not be published. Required fields are marked *