A new malicious campaign targets Android devices worldwide, leveraging thousands of Telegram bots to infect devices with SMS-stealing malware.
This malware aims to steal one-time 2FA passwords (OTPs) for over 600 services.
Campaign Overview
Researchers at Zimperium discovered this operation, which they have been tracking since February 2022. They identified at least 107,000 distinct malware samples linked to this campaign. The cybercriminals behind this scheme are financially motivated, using infected devices as authentication and anonymization relays.
Methods of Distribution
The SMS-stealing malware is distributed through two primary methods: malvertising and Telegram bots. In the malvertising scenario, victims are directed to pages mimicking Google Play, where inflated download counts are displayed to create a false sense of trust. On Telegram, bots promise users pirated applications for Android, requesting their phone numbers before sharing the APK file. This number is then used to generate a new APK, enabling personalized tracking and future attacks.
Monetization Tactics
Zimperium discovered that the malware sends the captured SMS messages to a specific API endpoint on the website ‘fastsms.su.’ This site offers access to “virtual” phone numbers in various countries, which can be used for anonymization and authentication on online platforms and services.
Infected devices are likely being utilized by this service without the victims’ knowledge. The malware requests Android SMS access permissions, allowing it to capture OTPs needed for account registrations and two-factor authentication.
This campaign highlights the increasing sophistication of cyber threats targeting Android devices and underscores the importance of staying vigilant and cautious when downloading applications or sharing personal information online.
