Android SMS Stealer Campaign Detected In 113 Countries

Researchers at Zimperium, a U.S.-based mobile security company, have discovered a large-scale SMS-stealing campaign affecting Android devices in 113 countries.

This large-scale campaign, which Zimperium has tracked since February 2022, has identified over 107,000 unique malware samples that use malicious Android apps to steal users’ SMS messages.

The threat actors behind this malware campaign used malicious advertisement links and Telegram bots to automate communication with potential victims.

In the case of malvertising, victims are lured to fake web pages imitating the Google Play Store, which display inflated download counts to inculcate a false sense of trust and security.

On the other hand, on Telegram, the bots posed as legitimate services and deceived victims into downloading unique malicious applications disguised as legitimate APKs (Android application packages).

For instance, the bots promise to give the user a pirated APK file for which they request the user to share their phone number. This enables the attacker to create a new APK for personalized tracking or future attacks.

โ€œWith the victim firmly in the grasp of the attacker, the attacker now has the ability to steal and sell sensitive information about the user for financial gain,โ€ Zimperium wrote in a blog post.

According to Zimperium, a vast network of roughly 2,600 Telegram bots was linked to this campaign, which promoted various Android APKs. Further, the malware used 13 Command and Control (C&C) servers to steal and leak SMS messages from victim devices.

“Of those 107,000 malware samples, over 99,000 of these applications are/were unknown and unavailable in generally available repositories. This malware was monitoring one-time password messages across over 600 global brands, with some brands having user counts in the hundreds of millions of users,” the mobile security firm added.

Victims of this campaign spanned 113 countries, with Russia and India being the primary targets, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey.

During its investigation, Zimperium discovered that the malware transmits SMS messages from the infected device to a specific API endpoint at the domain ‘fastsms[.]su’.โ€™ Fast SMS (‘fastsms[.]su’) is a website that allows users to purchase access to โ€œvirtualโ€ phone numbers in foreign countries for anonymization and authentication purposes on various online apps and services.

The researchers feel that the phone numbers linked to the infected devices are being used by the service on offer without the knowledge of the victim for various online accounts, as the requested Android SMS access permissions allow the malware to intercept one-time passwords (OTPs) required for account registrations and two-factor authentication (2FA).

Victims could incur unauthorized charges on their mobile accounts and be implicated in illicit activities involving their devices and phone numbers.

โ€œThe proliferation of this mobile malware, coupled with the ease of data theft (eg. SMS, OTPโ€™s), poses a significant threat to individuals and organizations alike. These stolen credentials serve as a springboard for further fraudulent activities, such as creating fake accounts on popular services to launch phishing campaigns or social engineering attacks,โ€ Zimperium concluded.

To avoid phone number misuse, users are urged against APK downloads outside the Google Play Store, deny excessive app permissions with unrelated functionality, and ensureย Playย Protect is active on their devices.

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!
spot_img

Read More

Suggested Post