New SMS Stealer Infects Millions Of Android Users In 113 Countries

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Since February 2022, a highly advanced Android malware campaign has been specifically designed to attack one-time passwords (OTPs), which are used for enterprise security breaches.

While tracking more than 107,000 malware samples, zLabs researchers noticed how the attackers changed their tactics to bypass security measures and gain access to confidential corporate information.

This protracted operation leverages the extensive use of OTPs for account safeguarding, underscoring the continuous struggle between cyber defense systems and increasingly sophisticated mobile threats.

Cybersecurity researchers at Zimperium recently identified a new SMS stealer that infects millions of Android users in 113 countries.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Android SMS Stealer

Using a variety of methods, this highly advanced Android malware attack was able to breach any device. They spread SMS-stealing malware through misleading ads and telegram bots that acted as legitimate services.

Its victims were made to load malicious APKs specially designed for them using their phone numbers. The virus could then access SMS, making it possible to remove the OTP.

Attack flow (Source – Zimperium)

Initially, the campaign’s infrastructure involved Firebase as its C&C server, which later switched to GitHub repositories containing obfuscated C&C URLs and malicious APKs. Laravel framework was widely used for most C&C servers. 

Telegram bots providing APKs (Source – Zimperium)

Once installed successfully, this malware will steal personal details from the victim, including SMS messages and device information, and send them to servers managed by threat actors. This is potentially dangerous for both personal security concerns and corporate safety.

This global Android malware operation has reached an unprecedented scale, with 113 countries affected and Russia and India being the main targets.

Countries targeted (Source – Zimperium)

Researchers uncovered over 107,000 distinct malware samples, of which 95% were unknown to regular repositories, indicating advanced evasion capabilities.

The operation tracked one-time passwords (OTPs) across more than six hundred global brands, potentially affecting hundreds of millions of users.

The infrastructure consisted of 13 command and control (C&C) servers and around twenty-six hundred Telegram bots used for spreading malware.

A related webpage, fastsms[.]su disclosed the financial motive behind the campaign, which sells stolen phone numbers and captured OTPs priced based on location and network operator.

The malware was specifically designed to target emails from one major cloud-based email and office suite provider, suggesting that it focuses on high-value enterprise accounts.

This campaign’s size and complexity illustrate how the threat landscape in mobile security is changing.

The evolving threat landscape for malicious software on mobile devices poses significant risks to individuals and organizations. Stealing SMS and OTP could lead to broader fraudulent activities.

This necessitates the use of multi-layered security approaches that encompass strategies such as user training and advanced detection technologies to guard against unknown malware.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access