Android Devices in 113 Countries Affected by Widespread SMS Stealer Campaign

A significant and malicious cyber campaign targeting Android devices worldwide has recently been uncovered, involving the use of thousands of Telegram bots to distribute SMS-stealing malware. This malware is specifically designed to capture one-time 2FA (two-factor authentication) passwords from users across more than 600 different services. Researchers at Zimperium have been actively tracking this operation since February 2022, and they have identified at least 107,000 distinct malware samples associated with it, highlighting the scale and sophistication of the attack.

The motivation behind this cybercriminal operation is primarily financial gain. The attackers appear to be leveraging the infected devices as relays for authentication and anonymization, enabling them to conduct illicit activities without drawing attention to themselves. By compromising the personal devices of users, the criminals can effectively bypass security measures and access sensitive information.

The modus operandi of the attackers begins with deceiving victims into visiting counterfeit pages that closely resemble the legitimate Google Play Store. These fraudulent sites report inflated download counts and display what appear to be positive reviews, thereby creating a false sense of trust and legitimacy. Users who navigate to these pages may be enticed to download pirated Android applications offered by the Telegram bots. To gain access to these pirated apps, users are prompted to provide their phone numbers, which the bots then use to generate a customized APK file. This tactic allows the attackers to implement personalized tracking mechanisms and set the stage for future attacks on the unsuspecting victims.

According to Zimperium’s findings, the campaign utilizes approximately 2,600 Telegram bots to promote various Android APKs. These bots are controlled by 13 command and control (C2) servers, which orchestrate the distribution of the malware and manage communication with the infected devices. The majority of the victims affected by this operation are located in India and Russia, but there are also significant victim counts in countries such as Brazil, Mexico, and the United States. This international scope underscores the global nature of the threat posed by these cybercriminals.

Once a device is infected, the malware captures SMS messages, particularly focusing on OTPs (one-time passwords) that are crucial for account registrations and two-factor authentication processes. The intercepted messages are transmitted to a designated API endpoint at ‘fastsms.su,’ a website that allows users to purchase access to “virtual” phone numbers in various foreign countries. These virtual numbers can be used to authenticate accounts on various online platforms, further enabling the attackers to exploit the infected devices without the victims’ knowledge.

This manipulation poses several risks for the victims, who may face unauthorized charges on their mobile accounts due to the malicious activities being conducted through their compromised devices. Furthermore, victims could inadvertently find themselves implicated in illegal activities that can be traced back to their device and associated phone number, potentially leading to legal consequences.

To mitigate the risk of falling victim to such attacks, users are strongly advised to exercise caution when downloading applications. Avoiding the download of APK files from sources outside the official Google Play Store is critical, as is refraining from granting risky permissions to apps that do not require them for their intended functionality. Users should also ensure that Google Play Protect, the built-in security feature of Android devices, is enabled to provide an additional layer of protection against malicious software. By remaining vigilant and informed about these types of threats, users can better safeguard their personal information and protect their devices from potential exploitation.