Since at least February 2022, a new malicious campaign has been identified leveraging malicious Android apps to steal users’ SMS messages as part of a larger campaign.
Spanning more than 107,000 unique samples, the malicious apps are designed to intercept one-time passwords (OTPs) used to verify online accounts and commit identity fraud.
“Of the 107,000 malware samples, over 99,000 applications are unknown and not available in publicly accessible repositories,” mobile security firm Zimperium said in a report shared with The Hacker News. “The malware has monitored one-time password messages for over 600 global brands, some of which have hundreds of millions of users.”
Victims of this attack have been confirmed in 113 countries, with India and Russia leading the way, followed by Brazil, Mexico, the United States, Ukraine, Spain and Turkey.
The attack begins with the installation of a malicious app that victims are tricked into installing on their devices, either through fake advertisements that mimic app listings on the Google Play Store, or through one of 2,600 Telegram bots that pose as legitimate services (such as Microsoft Word) and act as distribution channels.
Once installed, the app requests permission to access incoming SMS messages and then connects to one of 13 command and control (C2) servers to send stolen SMS messages.
“The malware remains hidden and constantly monitors for new SMS messages,” the researchers said. “The primary target is OTPs used to authenticate online accounts.”
It is not clear at this time who is behind the attacks, but threat actors have been observed accepting a variety of payment methods, including cryptocurrencies, to promote a service called Fast SMS (fastsms(.)su), which allows customers to purchase access to virtual phone numbers.
Phone numbers associated with infected devices can be used, without the owner’s knowledge, to collect OTPs needed for two-factor authentication (2FA) and register them to various online accounts.
In early 2022, Trend Micro uncovered a similar financially motivated service that recruited Android devices into a botnet “to bulk register throwaway accounts and create phone-verified accounts for fraud and other criminal activity.”
“The stolen credentials serve as a springboard for further fraudulent activity, such as creating fake accounts on popular services to launch phishing campaigns and social engineering attacks,” Zimperium said.
The findings highlight how Telegram, a popular instant messaging app with over 950 million monthly active users, continues to be abused by malicious actors for a variety of purposes ranging from malware distribution to C2.
Earlier this month, Positive Technologies exposed two SMS stealer families, called SMS Webpro and NotificationSmsStealer, that target Android device users in Bangladesh, India and Indonesia with the goal of diverting messages to Telegram bots controlled by the threat actor.
The Russian cybersecurity firm also identified a type of stealing malware that could pose as TrueCaller or ICICI Bank and steal users’ photos, device information and notifications via messaging platforms.
“The infection chain starts with a typical phishing attack on WhatsApp,” security researcher Varvara Akhapkina said. “With a few exceptions, attackers use phishing sites posing as banks to trick users into downloading the app.”
Another piece of malware that uses Telegram as a C2 server is TgRAT, a Windows remote access trojan that was recently updated to include a Linux variant, capable of downloading files, taking screenshots and remotely executing commands.
“Telegram is widely used by many companies as a corporate messenger,” Doctor Web said, “so it is not surprising that threat actors could use it as a means to distribute malware and steal sensitive information. The popularity of the program and regular traffic to Telegram’s servers make it easy to disguise malware on a compromised network.”
