A large-scale cybercriminal campaign targeting Android devices has been uncovered, impacting users across 113 countries. This operation utilizes thousands of Telegram bots to spread SMS-stealing malware, which has been active since February 2022. Zimperium researchers have identified at least 107,000 distinct malware samples involved in the campaign. The attackers aim to harvest sensitive information, including one-time 2FA passwords, for financial gain, by leveraging compromised devices as authentication and anonymization relays.
The malware is distributed through two primary methods: malvertising and Telegram bots. In the first method, victims are directed to fake Google Play pages with inflated download counts, creating a false sense of legitimacy. In the second method, Telegram bots promise pirated Android applications in exchange for users’ phone numbers. These numbers are then used to generate personalized APK files, which facilitate ongoing tracking and further attacks on the victim’s device.
The campaign employs 2,600 Telegram bots managed by 13 command and control (C2) servers, with most victims located in India and Russia. Significant numbers of affected users are also found in Brazil, Mexico, and the United States. The stolen SMS messages are transmitted to an API endpoint at ‘fastsms.su,’ a service providing “virtual” phone numbers for anonymity and authentication purposes. This indicates that the compromised devices are likely used without the victims’ knowledge to facilitate online transactions and bypass security measures.
To protect against such threats, security experts recommend several precautions: avoid downloading APK files from untrusted sources, be cautious about granting unnecessary permissions to apps, and ensure Google Play Protect is activated on your device. These steps can help prevent the abuse of phone numbers and mitigate unauthorized charges or potential legal issues associated with compromised devices. As cyber threats continue to evolve, vigilance and proactive security measures remain essential in safeguarding personal information.
Reference:
