HQ/EMEAFind out how we can help your business
A new SMS stealer malware campaign is targeting Android smartphones using hundreds of Telegram bots. Based on reports, the malware aims to harvest one-time 2FA passwords for over 600 services globally.
Researchers confirmed this operation by monitoring it since February 2022. They discovered that the campaign has at least 107,000 different malware samples related to it. Moreover, the initial analysis of the ongoing attack claimed that its operators are financially motivated and are most likely employing infected devices as authentication and anonymisation relays.
Hackers spread the SMS stealer malware through Telegram bots.
According to investigations, the campaign operators distribute the SMS stealer malware through malvertising or Telegram bots. This tactic allows them to automate conversations with victims and efficiently spread the malware.
In employing their malvertising campaign, the hackers use pages resembling the official Google Play Store, leveraging inflated download counts to increase the app’s legitimacy and create false confidence in their targets.
On the other hand, if the attackers use Telegram, they capitalise on bots that offer to deliver the user a pirated Android app and ask for their phone number before sending the APK file. Subsequently, the Telegram bot uses that number to produce a new APK, allowing for tailored tracking and future attacks.
Researchers revealed that this operation leverages 2,600 Telegram bots to promote various Android APKs managed by about 13 C2 servers. Most of the victims of this campaign came from India and Russia, but there are also large numbers of victims in the US, Brazil, and Mexico.
Furthermore, the researchers noticed that the malware sends recorded SMS messages to a specified API endpoint on the website called ‘fastsms.su.’ Site visitors can acquire access to “virtual” phone numbers in foreign countries, which they can use to remain anonymous and authenticate to internet platforms and services.
Researchers also believe that that service may be actively using the infected devices without the victims’ knowledge. With the needed Android SMS access rights, the virus can record the OTPs required for account registration and two-factor authentication.
These instances might result in unauthorised transactions on the victims’ mobile accounts and involvement in illegal activities linked to their devices and numbers. Therefore, users should avoid downloading APK files from suspicious and unofficial platforms and not provide permissions to applications if they are unrelated to the app’s function to prevent these exploits.
