A massive global SMS Stealer Campaign targeting Android devices through a sophisticated network of Telegram bots has recently been uncovered. Cybersecurity firm Zimperium, which has been monitoring this campaign since February 2022, has identified over 107,000 unique malware samples associated with the operation. The primary objective of the attackers is financial gain, achieved by stealing SMS messages and one-time passwords (OTPs) to access over 600 different services.
Sophisticated Techniques and Global Reach
This intricate cyber operation uses a combination of malvertising and Telegram bots to distribute SMS-stealing malware. Victims are lured to counterfeit web pages mimicking the Google Play Store, complete with fake download counts to create a false sense of legitimacy. Concurrently, Telegram bots entice users with promises of pirated Android applications. When users provide their phone numbers to receive an Android application package (APK) file, they unknowingly facilitate the generation of a customized APK for further exploitation.
Zimperium reports that the SMS Stealer Campaign is managed through 2,600 Telegram bots and controlled by 13 command and control (C2) servers. These servers coordinate the malware’s activities, from distribution to data theft execution. The primary targets are in India and Russia, with significant incidents also reported in Brazil, Mexico, and the United States.
Infection Process and Capabilities
The infection process is designed to remain undetected. Initially, the malware requests permissions to read SMS messages, which appear harmless but grant extensive access to personal data. Once installed, the malware communicates with its C2 server, receiving commands and transmitting collected data.
The malware’s ability to monitor and capture incoming SMS messages, especially those containing OTPs essential for account verification, highlights its high level of sophistication. This stealthy operation not only ensures continuous data theft but also maintains the attackers’ anonymity.
The campaign’s scale is extensive, affecting users in 113 countries. The malware targets a wide range of services, including banking and financial platforms, as well as social media accounts. By intercepting OTPs, attackers bypass security measures designed to protect user accounts, gaining unauthorized access and compromising personal and financial data.
Malware Distribution and Control Tactics on SMS Stealer Campaign
The distribution methods of this malware include malvertising and direct communication via Telegram. These tactics are cleverly designed to appear legitimate, tricking users into downloading and installing harmful applications.
After installation, the malware connects to a C2 server, which can be dynamically retrieved via platforms like Firebase or hardcoded within the application. Zimperium researchers have discovered that attackers also use GitHub repositories to distribute C&C details and malicious APKs, demonstrating the campaign organizers’ adaptability and technical prowess. Once active, the malware sends SMS Stealer Campaign details to ‘fastsms.su,’ a platform providing virtual phone numbers for anonymization and unauthorized authentication purposes.
Zimperium has warned Chief Information Security Officers (CISOs) to stay vigilant against similar campaigns in the future. “The proliferation of this mobile malware, coupled with the ease of data theft, poses a significant threat to individuals and organizations alike,” stated Zimperium researchers in a blog post. They emphasized the importance of proactive measures and comprehensive mobile threat defense (MTD) solutions to mitigate these risks. Ignoring these threats is not an option, and protecting device assets and sensitive information is crucial.
Also Read: Cyber Pro Magazine
