July 30, 2024 at 05:31PM
A global Android-targeting malware campaign utilizes thousands of Telegram bots to spread SMS-stealing malware, compromising over 600 services’ one-time passwords. Zimperium researchers uncovered this operation, tracking at least 107,000 malware samples since February 2022. Cybercriminals exploit infected devices for financial gain and use the malware to transmit captured messages to a specific API endpoint.
From the meeting notes, the key takeaways are:
1. A malicious campaign targeting Android devices worldwide is using thousands of Telegram bots to distribute SMS-stealing malware and steal one-time 2FA passwords for over 600 services.
2. Zimperium researchers have been tracking this operation since February 2022 and have identified at least 107,000 distinct malware samples associated with the campaign.
3. The cybercriminals behind this are motivated by financial gain, using infected devices as authentication and anonymization relays.
4. The malware is distributed through malvertising or Telegram bots that promise to provide pirated applications for Android, asking for the victim’s phone number before sharing the APK file.
5. It was discovered that the operation uses 2,600 Telegram bots to promote various Android APKs, controlled by 13 command and control servers.
6. Most victims of this campaign are located in India and Russia, with significant victim counts also in Brazil, Mexico, and the United States.
7. The malware transmits captured SMS messages to a specific API endpoint at the website ‘fastsms.su,’ which allows visitors to purchase access to “virtual” phone numbers in foreign countries for anonymization and authentication to online platforms and services.
8. The malware exfiltrates SMS messages to the Fast SMS site and could lead to unauthorized charges on victims’ mobile accounts and potential implications in illegal activities traced back to their devices and numbers.
9. To avoid phone number abuse and unauthorized charges, it’s important to avoid downloading APK files from outside Google Play, not to grant risky permissions to apps with unrelated functionality, and ensure Google Play Protect is active on the device.
These clear takeaways provide a comprehensive understanding of the malicious campaign and the actions needed to protect against it.