been tracking this campaign since February 2022, over 107,000 unique malware samples have been linked to this operation. The primary goal of the attackers is financial gain, using the stolen SMS messages and OTPs to facilitate unauthorised access to over 600 different services.
SMS stealer campaign sophisticated
This sophisticated cyber operation leverages both malvertising and Telegram bots to distribute SMS-stealing malware. Victims are lured to fake web pages that mimic the Google Play Store, complete with inflated download counts to foster a false sense of security. Meanwhile, Telegram bots entice users with offers of pirated Android applications. Once engaged, the victim provides their phone number under the guise of receiving an Android application package (APK) file, unknowingly facilitating the generation of a customised APK tailored for further exploitation.
According to Zimperium, the SMS stealer campaign is orchestrated through 2,600 Telegram bots and controlled by 13 command and control (C2) servers. These servers direct the activities of the malware, from its distribution to the execution of data theft. The primary victims of this invasive campaign reside in India and Russia, with significant numbers also reported in Brazil, Mexico, and the United States.
Infection process and malware capabilities
The infection process is meticulously designed to fly under the radar. Initially, the malware requests high-risk SMS message reading permissions, which seem innocuous but allow the attacker extensive access to personal data. Once installed, the malware establishes communication with its C2 server, which commands the malware and collects the transmitted data.
The malware’s capability to remain undetected while actively monitoring and capturing incoming SMS messages, particularly those containing OTPs crucial for account verification, illustrates the high level of its sophistication. This stealthy operation not only ensures continual data theft but also maintains the anonymity of the attackers.
The scale of this SMS stealer campaign is also vast, affecting users across 113 countries. Additionally, the malware targets a broad spectrum of services, from banking and financial platforms to social media accounts. By intercepting OTPs, the attackers can bypass security measures meant to protect user accounts, gain unauthorised access, and compromise personal and financial data.
Deep dive into malware distribution and control
The distribution channels of this malware include both malvertising and direct communication via Telegram. These methods are ingeniously crafted to appear legitimate, deceiving users into downloading and installing harmful applications.
Post-installation, the malware connects to a C2 server, which could be dynamically retrieved via platforms like Firebase or hardcoded within the application. Researchers from Zimperium have also uncovered the use of GitHub repositories by attackers to distribute C&C details and malicious APKs, demonstrating the adaptability and technical sophistication of the campaign organisers. The malware, once active, transmits stolen SMS details to ‘fastsms.su’, a platform offering virtual phone numbers for anonymisation and unauthorised authentication purposes.
Zimperium warned CISOs to remain vigilant about similar campaigns in the future. “The proliferation of this mobile malware, coupled with the ease of data theft… poses a significant threat to individuals and organisations alike,” wrote Zimperium researchers in a blog post on the campaign. “Sophisticated campaigns such as this SMS stealer campaign introduce a variety of unwanted security risks to enterprises and can be easily avoided if properly prepared with a comprehensive mobile threat defense (MTD) solution. Ignoring the risks is not an option. That is why it is important to take proactive measures to understand your risk exposure and to protect your device assets and the sensitive information associated with it.”
Read more: UK government launches AI cybersecurity codes of practice
