A new malicious campaign that utilizes malicious Android apps to steal users’ SMS messages as part of a broader operation has been observed since at least February 2022.
Since at least February 2022, a new harmful campaign has been noticed that uses malicious Android apps to steal users’ SMS messages as part of a larger campaign. With almost 107,000 distinct samples, the malicious programs are made to intercept one-time passwords (OTPs) required for online account verification in order to perpetrate identity theft. “Of those 107,000 malware samples, over 99,000 of these applications are or were unknown and unavailable in generally available repositories,” Zimperium, a mobile security company, stated in a report seen by The Hacker News. “This malware was monitoring one-time password messages across over 600 global brands, with some brands having user counts in the hundreds of millions of users.”
There have been 113 nations where the effort has been discovered, with Russia and India at the top of the list, followed by the United States, Brazil, Mexico, Ukraine, Spain, and Turkey. The attack begins with the installation of a malicious app on the victim’s device, which is tricked into happening either by false advertisements that mimic the Google Play Store app listings or by any of the 2,600 Telegram bots that act as the distribution channel by impersonating trustworthy services (like Microsoft Word). After installation, the application contacts one of the 13 command-and-control (C2) servers to send SMS messages that have been pilfered. It then asks for authorization to access incoming messages.
Although the identity of the perpetrators is presently unknown, threat actors have been seen using a variety of payment methods, including cryptocurrency, in order to support a service called Fast SMS (fastsms[.]su), which enables users to acquire access to virtual phone lines. It’s possible that the phone numbers connected to the compromised devices are being harvested for the two-factor authentication (2FA) OTPs and used, without the owner’s knowledge, to register for several online accounts.
A similar profit-driven business that gathered Android devices into a botnet to “create phone-verified accounts for conducting fraud and other criminal activities” was made public by Trend Micro at the beginning of 2022. Google Play Protect, which is turned on by default on devices that have Google Play Services, automatically protects Android users against known versions of this malware, a Google representative informed The Hacker News. “These stolen credentials serve as a springboard for further fraudulent activities, such as creating fake accounts on popular services to launch phishing campaigns or social engineering attacks,” Zimperium stated.
The results demonstrate how criminal actors are still abusing Telegram, a well-known instant messaging service with over 950 million monthly active users, for a variety of objectives, including C2 and malware dissemination. The goal of the two SMS stealer families, known as SMS Webpro and NotifySmsStealer, which Positive Technologies revealed earlier this month, is to divert messages to a Telegram bot run by threat actors and target Android device users in Bangladesh, India, and Indonesia. The Russian cybersecurity firm has also discovered stealer malware variants that pose as ICICI Bank and TrueCaller and have the ability to access user notifications, device data, and photographs using the chat app.
Security expert Varvara Akhapkina stated, “A standard phishing attack on WhatsApp is the first step in the chain of infection.” “With few exceptions, the attacker uses phishing sites posing as banks to get users to download apps from them.” TgRAT is another malware that uses Telegram as a command-and-control server. It is a Windows remote access trojan that was upgraded lately to add a Linux form. It has the ability to remotely perform commands, take screenshots, and download files. “Telegram is widely used as a corporate messenger in many companies,” Doctor Web stated. Since Telegram is so well-known and its servers receive a lot of traffic, it is not surprising that threat actors can exploit it as a conduit to spread malware and steal sensitive data.
Also read: Achieving Rapid Outcomes with AI-Driven Cloud Analytics
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.