Since at least February 2022, a new malware campaign has been observed using malicious Android apps to steal users’ SMS messages as part of a large-scale campaign.
The malware, which spans more than 107,000 unique samples, is designed to intercept one-time passwords (OTPs) used for online account verification to commit identity fraud.
“Of these 107,000 malware samples, more than 99,000 of these apps are/were unknown and not available in public repositories,” according to mobile security company Zimperium. said in a report shared with The Hacker News. “This malware monitored OTP messages for more than 600 global brands, with some brands having users in the hundreds of millions.”
Victims of the campaign were found in 113 countries, India and Russia lead the list, followed by Brazil, Mexico, the USA, Ukraine, Spain and Turkey.
The starting point of the attack is the installation of a malicious application, which the victim is tricked into doing install on your device either through deceptive advertising that mimics app listings in the Google Play Store, or through any of Telegram’s 2,600 bots that act as a distribution channel by masquerading as legitimate services (such as Microsoft Word).
Once installed, the program requests permission to access incoming SMS messages, after which it contacts one of 13 control servers (C2) to transmit the stolen SMS messages.
“The malware remains hidden by constantly monitoring new incoming SMS messages,” the researchers said. “Its primary target is one-time passwords used for online account verification.”
It is currently unclear who is behind this operation, although threat actors have been seen accepting various payment methods, including cryptocurrency, to fuel a service called Fast SMS (fastsms(.)su), which allows customers to buy access to virtual phone numbers.
It is likely that phone numbers associated with infected devices are used without the owner’s knowledge to register various online accounts by collecting one-time passwords required for two-factor authentication (2FA).
In early 2022, Trend Micro shed light about a similar financially motivated service that gathered Android devices into a botnet that could be used to “mass sign up one-time accounts or create phone-verified accounts for fraud and other criminal activities.”
“These stolen credentials serve as a springboard for further fraudulent activities, such as creating fake accounts on popular services to launch phishing campaigns or social engineering attacks,” Cimperium said.
Conclusions are emphasized continuation abuse Telegram, a popular instant messaging app with more than 950 million monthly active users, has been targeted by attackers with a variety of goals ranging from spreading malware to C2.
Earlier this month, Positive Technologies disclosed two families of SMS stealers, called SMS Webpro and NotifySmsStealer, that target Android device users in Bangladesh, India, and Indonesia to deliver messages to a criminal-backed Telegram bot.
Also, a Russian cyber security company discovered malicious strains of theft masquerading as TrueCaller and ICICI Bank and capable of stealing users’ photos, device information and notifications via the messaging platform.
“The chain of infection starts with a typical phishing attack on WhatsApp,” security researcher Varvara Ahapkina said. “With few exceptions, an attacker uses phishing sites posing as a bank to get users to download apps from them.”
Another malware that uses Telegram as a C2 server is TgrAT, a Windows remote access trojan that was recently updated to include a Linux variant. It is equipped to download files, take screenshots and execute commands remotely.
“Telegram is widely used as an enterprise messenger by many companies,” – Dr. Web. said. “Thus, it’s no surprise that threat actors can use it as a vector to deliver malware and steal sensitive information: the popularity of the app and the regular traffic on Telegram’s servers make it easy to mask malware in a compromised network.”
