SMS theft alert: Android users under attack in 113 countries
What's the story
A global SMS-stealing campaign has been detected, affecting Android devices across 113 countries.
The operation employs thousands of Telegram bots to distribute malware that steals one-time two-factor authentication (2FA) passwords for more than 600 services.
Researchers at Zimperium, a US-based mobile security company, have been monitoring this activity since February 2022 and have identified over 107,000 unique malware samples linked to the campaign.
Malware spread
Financial motives and distribution methods
The primary motive behind this campaign is believed to be financial gain.
The malware is disseminated either through malvertising or via Telegram bots that automate communication with potential victims.
In the case of malvertising—the practice of incorporating malware in online advertisements—victims are directed to pages imitating Google Play, which display exaggerated download numbers to instill a false sense of trust.
Bot strategy
Telegram bots and personalized tracking
On Telegram, the bots offer users pirated Android applications.
Before providing the APK file, they request for the user's phone number which is then used to create a new APK for personalized tracking or future attacks.
Zimperium reports that this operation involves 2,600 Telegram bots promoting various Android APKs, controlled by 13 command and control (C2) servers.
Victim demographics
India and Russia are the most affected countries
The majority of victims from this campaign are based in India and Russia, with significant numbers also reported in Brazil, Mexico, and the US.
The malware sends captured SMS messages to a specific API endpoint at 'fastsms.su,' a site that offers visitors the opportunity to buy access to "virtual" phone numbers in foreign countries for anonymization and authentication purposes on online platforms and services.
Permission abuse
Malware exploits Android SMS access permissions
The malware exploits Android SMS access permissions to capture OTPs needed for account registrations and two-factor authentication.
This could lead to unauthorized charges on victims' mobile accounts or their involvement in illegal activities traced back to their device and number.
To prevent phone number misuse, users are advised not to download APK files from sources other than Google Play, deny risky permissions to apps with unrelated functionality, and ensure Play Protect is active on their device.