SMS Stealer Mobile Malware
A global cyberattack aimed at Android devices employs thousands of Telegram bots to spread SMS-stealing malware and capture one-time 2FA passwords (OTPs) for over 600 services. Researchers have been monitoring this operation since February 2022 and have identified at least 107,000 unique malware samples linked to the campaign. The attackers appear to be driven by financial incentives, likely using the compromised devices to facilitate authentication and enhance anonymity.
Table of Contents
Thousands of Telegram Bots Spread the SMS Stealer Malware
The SMS-stealing malware is spread through two main methods: malvertising and Telegram bots that automate communication with victims.
In the first method, victims are directed to fake Google Play pages, which display inflated download numbers to appear legitimate and gain the victim's trust.
On Telegram, the bots offer pirated Android applications and request the victim's phone number before providing the APK file. This number is used by the bot to create a customized APK, enabling personalized tracking or future attacks.
The operation relies on approximately 2,600 Telegram bots to distribute various Android APKs, all managed by 13 Command-and-Control (C2) servers. The majority of affected individuals are in India and Russia, though significant numbers are also reported in Brazil, Mexico and the United States.
How Threat Actors Generate Funds from Victims
The malware sends the intercepted SMS messages to an API endpoint on the website 'fastsms.su.' This site offers 'virtual' phone numbers from various countries, which users can purchase for anonymity and to authenticate on online platforms. It is highly likely that the compromised devices are being used by this service without the victims' knowledge. The malware leverages the SMS access permissions granted to it on Android devices to capture OTPs needed for account registrations and two-factor authentication.
For victims, this can result in unauthorized charges on their mobile accounts and potential involvement in illegal activities traced back to their device and phone number. To protect against phone number misuse, avoid downloading APK files from sources outside Google Play, refrain from granting unnecessary permissions to apps with unrelated functions, and ensure that Play Protect is enabled on your device.
The Attack Flow of the SMS Stealer Operation
The victim is lured into installing a fraudulent application through misleading advertisements that imitate legitimate app stores or via automated Telegram bots that interact directly with the target (details below).
Permission Requests – Gaining Access
Once installed, the fraudulent application requests SMS read permissions, a high-risk feature on Android that allows access to sensitive personal data. While legitimate apps might need SMS permissions for specific functions, this app's request is designed to harvest the victim's private text messages.
Command & Control Server Retrieval – Contacting the Master
The threat then connects to its Command and Control (C&C) server, which directs its operations and gathers the collected data. Initially, the malware used Firebase to obtain the C&C server address but has since evolved to use Github repositories or embed the address directly within the app.
C&C Communication – Reporting In & Uploading Data
After securing the C&C server address, the infected device establishes a connection to it. This serves two purposes: 1) the malware notifies the server of its active status, and 2) it creates a channel to send stolen SMS messages, including valuable OTP codes.
OTP Harvesting – The Covert Collector
In the final phase, the malware silently monitors incoming SMS messages, focusing on intercepting OTPs used for online account verification while remaining undetected.
