Malicious Actors Deploy Over 100,000 Malware Android Applications to Steal OTP Codes
A recent malicious activity has been spotted utilizing malevolent Android applications to filch users’ SMS messages since at least February 2022 as part of an extensive campaign.
The malevolent applications, encompassing more than 107,000 distinctive variations, are crafted to intercept one-time passwords (OTPs) utilized for online account authentication to carry out identity theft.
“Out of those 107,000 malware instances, upwards of 99,000 of these applications are/were unidentified and not obtainable in widely accessible repositories,” mobile security company Zimperium stated in a report provided to The Hacker News. “This malware was monitoring one-time password messages from more than 600 worldwide brands, with some brands having user counts in the hundreds of millions.”
Victims of the campaign have been spotted in 113 different nations, with India and Russia leading the pack, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey.
The inception of the assault involves the deployment of a malevolent app that a target is deceived into installing on their device either through misleading ads imitating Google Play Store app listings or any of the 2,600 Telegram bots acting as the distribution medium by pretending to be legitimate services (e.g., Microsoft Word).
Upon installation, the app solicits permission to access incoming SMS messages, subsequently connecting to one of the 13 command-and-control (C2) servers to transmit pilfered SMS messages.
“The malware remains concealed, continuously surveilling fresh incoming SMS messages,” the researchers articulated. “Its prime focus is OTPs utilized for online account verification.”
The perpetrators of this operation remain unidentified at the moment, although they have been observed accepting various forms of payment, including cryptocurrency, to fund a service known as Fast SMS (fastsms[.]su) that facilitates clients to procure access to virtual phone numbers.
It is probable that the phone numbers linked with the infected devices are being employed without the possessor’s awareness to enroll for various online accounts by gathering the OTPs essential for two-factor authentication (2FA).
In the beginning of 2022, Trend Micro illuminated a comparable financially-driven service that assembled Android devices into a botnet capable of “registering disposable accounts in bulk or generating phone-verified accounts for carrying out fraud and other criminal acts.”
“These purloined credentials act as a stepping stone for further deceitful undertakings, like establishing fake accounts on prominent services to launch phishing campaigns or social engineering assaults,” Zimperium mentioned.
The discoveries underscore the ongoing exploitation of Telegram, a well-known instant messaging application with more than 950 million monthly active users, by rogue elements for various objectives spanning from proliferation of malware to C2.
Earlier this month, Positive Technologies divulged two SMS stealing families branded SMS Webpro and NotifySmsStealer that target Android device users in Bangladesh, India, and Indonesia with the intent to siphon messages to a Telegram bot managed by the threat actors.
Also identified by the Russian cybersecurity firm are a pair of thieving malware variants that pretend to be TrueCaller and ICICI Bank, having the capability to extract users’ images, device details, and notifications via the messaging platform.
“The chain of infection kicks off with a conventional phishing maneuver on WhatsApp,” security researcher Varvara Akhapkina stated. “With a small number of exceptions, the attacker employs phishing sites masquerading as a bank to induce users to download applications from them.”
Another malware that utilizes Telegram as a C2 server is TgRAT, a Windows remote access trojan that has been recently enhanced to encompass a Linux variation. It is furnished to download files, capture screenshots, and operate commands remotely.
“Telegram is extensively utilized as a corporate messenger in various organizations,” Doctor Web asserted. “As a result, it’s not surprising that malevolent actors can exploit it as a conduit to transmit malware and pilfer sensitive data: the prevalence of the application and the regular traffic to Telegram’s servers make it effortless to conceal malware on an infiltrated network.”
About Author
