I would be grateful if anyone can recommended a tutorial or books on how to attack ussd apps and APIs.
Google search gave no reasonable tutorial likewise Youtube.
There is a currently a switch to ussd payment in my country and would like to learn how to pentest ussd and APIs.
Did you checked this? https://www.researchgate.net/publication/276386458_Messaging_Attacks_on_Android_Vulnerabilities_and_Intrusion_Detection
This looks quite interesting.