"HTTP injector" apps traded in public Telegram channels are becoming a popular method of gaining free Internet access on mobile devices.
Such apps work by modifying HTTP headers on network requests with malicious code that tricks "captive portals" into giving the user access to the Internet.
Captive portals are the temporary web pages that some mobile telcos or private WiFi networks show users when trying to access the Internet, sometimes asking for a password or urging the user to recharge his SIM card's credit.
HTTP Injector apps work by leveraging the fact that some captive portals allow the user to establish connections to some Internet sites included in "data-free" offerings.
The HTTP injector app helps the user's device to establish a connection to the free website and then starts injecting HTTP headers, effectively hijacking the "free connection" and allowing the user to access any service of his choosing, later on.
"The initial connection to the data-free website begins the session, which can then be exploited using HTTP injectors to request SSH proxies to connect to the internet," Flashpoint says.
Researchers say they've spotted HTTP injector apps shared on Portuguese and Spanish-speaking Telegram channels. The apps were designed to exploit captive portals of Brazilian and Colombian telcos (to a lesser extent).
Crooks didn't share these tools in private, close-knit communities, but on public Telegram channels, some of which had over 90,000 users.
"One possible reason cybercriminals share their HTTP injector files so freely is to generate a larger footprint on the compromised infrastructure being utilized as a proxy by the HTTP injectors, thereby masking their own illicit activities," researchers said.
Previously, hackers usually exploited flaws in telcos' own web or mobile apps to gain free Internet access, but these flaws were never long-lived, as telcos plugged apps sooner or later.