Discover how 2,600 Telegram bots have been stealing your passwords and data for over two years!
A sophisticated malware, with over 107,000 variations, has been targeting Android devices for more than two years, stealing SMS messages to capture one-time passwords (OTPs) and other sensitive user data. This malware, known as “SMS Stealer,” has been disseminated through constantly changing mobile apps spread via Telegram messages or advertisements for legitimate apps. Researchers from Zimperium zLabs discovered this malware, which has infected users in 113 countries, with India and Russia being the most affected.
The malware campaign, which began in February 2022, is financially motivated and supported by a significant cybercriminal infrastructure. The attackers have at least 13 command-and-control servers and 2,600 Telegram bots. This campaign’s ability to avoid traditional detection methods makes it particularly dangerous. Nico Chiaraviglio, Zimperium’s chief scientist, emphasised the malware’s sophistication and adaptability, which allows it to be dynamically generated and distributed through multiple threat vectors.
More than 99,000 malware samples analysed by researchers were previously unknown, indicating the campaign’s ability to remain largely undetected for over two years. The malware targets OTP messages from over 60 global brands, some of which have hundreds of millions of users. A Google spokesperson mentioned that Android users are protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services. Google Play Protect can warn users or block malicious apps, even if they come from outside the Play Store.
Evolving SMS Stealer Poses Global Threat to Android Users. The infection process involves multiple stages. It starts when an Android user is tricked into installing a malicious application, either through deceptive ads or Telegram bots using social engineering tactics. Once installed, the app requests permission to read SMS messages, a high-risk permission on Android. The malware then connects to a command-and-control server to receive commands and transmit stolen SMS messages. In its final phase, the victim’s device becomes a silent interceptor, monitoring incoming SMS messages for valuable OTPs. While stealing SMS messages for financial gain is not new, the attackers’ dynamic and persistent approach in this campaign demands immediate response.
The increasing prevalence of mobile malware that can steal OTPs poses a significant threat to both individuals and enterprises. These apps not only invade user privacy but also provide a springboard for credential theft, financial fraud, and ransomware attacks. Jason Soroko, senior vice president of product at Sectigo, highlighted the severe risks posed by SMS Stealer’s ability to intercept OTPs and facilitate credential theft.
Sharon Knowles, CEO of Da Vinci Forensics, emphasised the critical need for robust mobile security measures: “The persistent and evolving nature of the SMS Stealer malware highlights the urgent need for organisations to adopt comprehensive mobile threat defence strategies. By leveraging advanced behavioural analysis, real-time threat intelligence, and continuous security updates, we can better protect digital identities and maintain enterprise integrity against sophisticated attacks.”
Source: Elizabeth Montalbano, Sectigo, Zimperium, Dark Reading
Image: Canva