Mobile security firm ZImperium has found 107,000 malware samples able to steal Android SMS messages, focusing on MFA’s OTPs that are associated with more than 600 global brands. The malware has been dubbed SMS Stealer.
The size of the campaign is impressive. The samples have been found in 113 countries (the majority in Russia and India). Thirteen C&C servers have been identified, and 2,600 Telegram bots, used as part of the malware distribution channel, have been identified.
Victims are primarily persuaded to sideload the malware through deceptive advertisements or through Telegram bots communicating directly with the victim. Both methods mimic trusted sources, explains Zimperium. Once installed, the malware requests the SMS message read permission, and uses this to facilitate exfiltration of private text messages.
SMS Stealer then connects with one of the C&C servers. Early versions used Firebase to retrieve the C&C address; more recent versions rely on GitHub repositories or embed the address in the malware. The C&C establishes a communications channel to transmit stolen SMS messages, and the malware becomes an ongoing silent interceptor.
The campaign seems to be designed to steal data that could be sold to other criminals — and OTPs are a valuable find. For example, the researchers found a connection to fastsms[.]su. This turned out to be a C&C with a user-defined geographic selection model. Visitors (threat actors) could select a service and make a payment, after which “the threat actor received a designated phone number available to the selected and available service,” write the researchers. “The platform subsequently displays the OTP generated upon successful account setup.”
Stolen credentials allow an actor a choice of different activities, including creating fake accounts and launching phishing and social engineering attacks. “The SMS Stealer represents a significant evolution in mobile threats, highlighting the critical need for robust security measures and vigilant monitoring of application permissions,” says Zimperium. “As threat actors continue to innovate, the mobile security community must adapt and respond to these challenges to protect user identities and maintain the integrity of digital services.”
It is the theft of OTPs that is most dramatic, and a stark reminder that MFA does not always ensure security. Darren Guccione, CEO and co-founder at Keeper Security, comments, “OTPs are a key component of MFA, an important security measure designed to protect accounts. By intercepting these messages, cybercriminals can bypass those MFA protections, gain unauthorized access to accounts and potentially cause very real harm. It’s important to recognize that not all forms of MFA offer the same level of security. More secure options include authentication apps like Google Authenticator or a physical hardware key like YubiKey.”
But he, like Zimperium, is not oblivious to the full threat potential of SMS Stealer. “The malware can intercept and steal OTPs and login credentials, leading to complete account takeovers. With these stolen credentials, attackers can infiltrate systems with additional malware, amplifying the scope and severity of their attacks. They can also deploy ransomware… so they can demand financial payment for recovery. Furthermore, attackers can make unauthorized charges, create fraudulent accounts and execute significant financial theft and fraud.”
Essentially, connecting these possibilities to the fastsms offerings, could indicate that the SMS Stealer operators are part of a wide-ranging access broker service.
Zimperium provides a list of SMS Stealer IoCs in a GitHub repository.
Related: Threat Actors Abuse GitHub to Distribute Multiple Information Stealers
Related: Information Stealer Exploits Windows SmartScreen Bypass
Related: macOS Info-Stealer Malware ‘MetaStealer’ Targeting Businesses
Related: Ex-Trump Treasury Secretary’s PE Firm Buys Mobile Security Company Zimperium for $525M