Summarize

Simplifying... Inshort

Android users in 113 countries, especially in India and Russia, are being targeted by a malware campaign for financial gain.
The malware, spread through online ads or Telegram bots, tricks users into downloading pirated apps, then exploits SMS permissions to capture OTPs for account registrations and two-factor authentication.
To stay safe, users are advised to only download APK files from Google Play, deny risky permissions, and keep Play Protect active.

Was a long read? Making it simpler...

Next Article

India and Russia are the most affected countries India and Russia are the most affected countries

SMS theft alert: Android users under attack in 113 countries

By Mudit Dube

Jul 31, 2024

03:07 pm

What's the story

A global SMS-stealing campaign has been detected, affecting Android devices across 113 countries. The operation employs thousands of Telegram bots to distribute malware that steals one-time two-factor authentication (2FA) passwords for more than 600 services. Researchers at Zimperium, a US-based mobile security company, have been monitoring this activity since February 2022 and have identified over 107,000 unique malware samples linked to the campaign.

Malware spread

Financial motives and distribution methods

The primary motive behind this campaign is believed to be financial gain. The malware is disseminated either through malvertising or via Telegram bots that automate communication with potential victims. In the case of malvertising—the practice of incorporating malware in online advertisements—victims are directed to pages imitating Google Play, which display exaggerated download numbers to instill a false sense of trust.

Bot strategy

Telegram bots and personalized tracking

On Telegram, the bots offer users pirated Android applications. Before providing the APK file, they request for the user's phone number which is then used to create a new APK for personalized tracking or future attacks. Zimperium reports that this operation involves 2,600 Telegram bots promoting various Android APKs, controlled by 13 command and control (C2) servers.

Victim demographics

India and Russia are the most affected countries

The majority of victims from this campaign are based in India and Russia, with significant numbers also reported in Brazil, Mexico, and the US. The malware sends captured SMS messages to a specific API endpoint at 'fastsms.su,' a site that offers visitors the opportunity to buy access to "virtual" phone numbers in foreign countries for anonymization and authentication purposes on online platforms and services.

Permission abuse

Malware exploits Android SMS access permissions

The malware exploits Android SMS access permissions to capture OTPs needed for account registrations and two-factor authentication. This could lead to unauthorized charges on victims' mobile accounts or their involvement in illegal activities traced back to their device and number. To prevent phone number misuse, users are advised not to download APK files from sources other than Google Play, deny risky permissions to apps with unrelated functionality, and ensure Play Protect is active on their device.