In today’s cybersecurity practices, one-time passwords (OTPS) have emerged as a valuable offering for online accounts, providing additional layers of protection. Attackers have acknowledged that enterprises are relying more heavily on OTPS to safeguard sensitive data and applications. As a result they are strengthening their efforts to evade these defenses. Zimperium’s zLabs is cognizant of the critical concern of the rise of mobile malware tailored to steal OTPs, and has been keeping a vigilant eye on this alarming trend.
ZLabs discovered the Android-targeted SMS stealer campaign in February 2022 and has continued to monitor it closely . Since the initial discovery, zLabs researchers have found over 107,000 unique malware samples connected to the campaign, impacting over 600 brands globally. This shines a bright light on just how vigilant and deceptive attackers are in refreshing their campaigns to ensure their effectiveness.
Also Read: CIO Influence Interview with Upendra Kohli, EVP – Communications, Media & Entertainment (Americas & Europe), Infosys
SMS Stealer’s Attack Chain
The researchers found that this is a multiphase campaign, due the nature that it occurs over many stages and serves as a helping hand for more fraudulent activities. The infection begins when an Android user falls victim to installing a malicious app. These malicious apps are extremely deceitful, as they can be disguised as an ad emulating a legitimate app store or through any of the 2,600 automated Telegram bots in direct communication with the target. These Telegram bots give the false promise of a pirated Android application that would normally require payment, in exchange for the user’s phone number.
This exchange prompts an attacker to send a customized Android Package Kit (APK) file to monitor the victim and jumpstart the launch of future attacks. Once the app is installed, the infectious application prompts users to allow permission to read SMS messages. This high-risk permission grants bad actors access to personal data. Next, the malware connects to the mastermind of the campaign, its Command and Control (C&C) server, enacting commands and collecting stolen data. Once C&C is secured and connected the malware both solidifies its operational status and creates a channel to forward stolen SMS messages.
Once C&C is activated, the device is fully compromised and becomes a master of disguise: a silent interceptor. The malware stays concealed while maintaining full visibility into SMS messages, with attackers on high alert for OTPs used for online account verification.
The sophistication of these bad actors is alarming. This campaign’s deceptive tactics have reached a new level by mimicking reliable sources and Telegram bots that appear to be trusted services. Attackers take advantage of people’s trust in services, exploit them, and fully take over the privacy of the device. The vulnerability of text message access has the potential to be incredibly damaging, as it enables attackers access to OTPs that often serve as credentials to access financial institutions.
Sophistication on the Rise
Gone are the days when malware was a bare bones operation with no strategy. These days, cybercriminals are extremely sophisticated, strategic and manage large operations, oftentimes starting their own businesses and hierarchies. With the malware now in control of the device, it raises the critical question of how the threat actor dominates the malware. Zimperium’s zLabs researchers have noted adapting techniques to establish and register a Command and Control (C&C) server. In the early days of the malware, attackers relied on Firebase to establish C&C connection. However, evolving malware campaigns tend to find additional routes. zLabs researchers observed threat actors leverage GitHub in the following ways: the use of GitHub repositories, which included JSON (JavaScript Object Notation) files containing URLs, and using Github to distribute many of the malicious APK’s. The outcome of a device registering with its configured C&C server begins the downfall of data theft, including SMS messages and phone details. From there, the stolen information is transferred to the C&C server, resulting in data being collected, sold, or leveraged for future attacks.
This prolific campaign targets over 60 top-tier global brand services, with some brands having hundreds of millions of users, and spans across 113 countries. zLabs researchers determined 13 C&Cs are being used to steal and exploit SMS messages, a large network of around 2,600 Telegram bots leveraged as a distribution channel, and to date, zLabs researchers have discovered over 107,000 malware samples directly tied to this campaign. These numbers reveal the astonishing, large scale of this campaign and paint a disturbing picture of a sophisticated operation behind this malware campaign.
Also Read: HYAS Infosec Launches New Point-of-Presence (PoP) In South Africa to Bolster Regional Cybersecurity Infrastructure
The exact motive behind the campaign is not determined; however, zLabs research indicates a financial incentive. Initial research revealed a connection between the website, fastsms.su, and one of the malware samples in the campaign. After examining deeper, research unveiled a highly developed C&C platform containing a user-defined geographic selection model. The platform offered both well-known consumer and enterprise services, with cost options based on phone number availability in the chosen country. Once selection and payment are completed, the platform shows the OTP that is generated after the account is successfully set up. One sample from this well-developed platform shows malware transmitting SMS messages from compromised devices to a specific API endpoint domain. The malware directs searches towards messages from popular cloud services, with the mission of intercepting one-time passwords.
The escalation of mobile malware tailored to steal OTPs presents a major threat to individuals and organizations. The continuous advancement of malicious threats in this campaign unveils additional security risks to enterprises, making it critical that enterprises employ preventative measures to protect device assets and sensitive information. The 2024 Verizon Data Breach Investigation Report discovered that 31% of all breaches over the last decade have been stolen credentials. The combination of the surge in mobile breaches and the complexity of campaigns such as the SMS stealer campaign open the floodgates to unwanted security risks, such as credential theft, malware infiltration, ransomware attacks, and financial loss that can easily be prevented if well-prepared with a thorough mobile threat defense (MTD) solution.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]