A recent investigation has uncovered a significant malicious campaign leveraging harmful Android applications to pilfer users’ SMS messages, with activity dating back to at least February 2022. This large-scale operation purportedly involves over 107,000 unique malicious app samples aimed at intercepting one-time passwords (OTPs) that are essential for online account authentication, thereby facilitating identity theft.
According to mobile security firm Zimperium, over 99,000 of these malware applications were previously unknown and unavailable on commonly accessed repositories. The malware’s capabilities involve monitoring OTP messages across more than 600 global brands, some of which serve user bases in the hundreds of millions. This alarming statistic underscores the extensive reach and potential impact of the campaign.
Impact assessments reveal that victims have emerged from 113 countries, with India and Russia listed as the top targets, followed by Brazil, Mexico, the United States, Ukraine, Spain, and Turkey. These statistics illustrate the international scope of the threat, suggesting a systematic approach to targeting individuals across various regions.
The initial phase of this attack entails the installation of a compromised application, which victims are often misled into downloading via deceptive ads that mimic legitimate Google Play Store listings or through one of the 2,600 Telegram bots masquerading as authentic services, like Microsoft Word. Upon installation, these applications request permission to access incoming SMS messages, and subsequently connect to one of 13 command-and-control (C2) servers to relay stolen messages.
Research indicates that these malware samples maintain a stealthy presence on infected devices, continuously monitoring for new incoming SMS messages, with a specific focus on OTPs employed for two-factor authentication. The identity of the threat actors remains obscure; however, observations show them accepting numerous payment methods, including cryptocurrency, to underwrite a service known as Fast SMS (fastsms[.]su), which allows users access to virtual phone numbers.
The alarming possibility exists that the phone numbers linked to compromised devices are being exploited without the owners’ consent to register for various online accounts, utilizing the harvested OTPs for unauthorized access. Historically, similar campaigns have been documented; for instance, in early 2022, Trend Micro revealed a financially-motivated service aimed at corralling Android devices into a botnet for mass account registration and fraud.
A Google spokesperson commented on the event, asserting that Android users are inherently protected against recognized versions of this malware via Google Play Protect, a feature that is enabled by default on devices incorporating Google Play Services. While this offers a layer of security, the stolen credentials gleaned from these attacks could serve as a launchpad for further fraudulent activities, such as creating fake accounts on widely-used platforms or orchestrating phishing and social engineering schemes.
This series of findings emphasizes the prevalent misuse of Telegram, a favored messaging service with over 950 million monthly active users, as a tool for malware distribution and data exfiltration. Recent disclosures by Positive Technologies identified two new families of SMS-stealing malware targeting Android users in certain countries like Bangladesh, India, and Indonesia.
Additionally, variations of stealer malware mimic popular applications to exfiltrate personal information, including photos and device data. The infection chain typically initiates with phishing attacks, further complicating the security landscape.
In conclusion, organizations must remain vigilant against evolving threat techniques. The involvement of Telegram as a distribution medium reflects a broader trend of exploiting widely-used platforms for cybercriminal activities. The threat landscape demands attention and proactive measures, especially in safeguarding sensitive data and ensuring robust security protocols are in place. As threat actors continue to innovate, understanding the tactics and techniques outlined within the MITRE ATT&CK framework will be crucial for developing effective defense strategies.
