Large-scale SMS OTP theft campaign on Android targets more than 100k applications

 Zimperium zLabs, the mobile security research and development arm of a company that provides security solutions for mobile devices, recently disclosed a large-scale Android malware campaign that has infected more than 107,000 devices across 113 countries since February 2022. The malware targets one-time passwords (OTPs) from more than 600 leading brands, threatening millions of user accounts.


1722497371120.png


The campaign uses phishing ads and Telegram bots to attack users. Upon installation, the software requests permission to read SMS, intercept, and send OTPs to a command and control (C&C) server. The stolen OTPs are then sold on cybercrime markets, helping attackers bypass two-factor authentication.

1722497422998.png

(Illustration: Zimperium zLabs)

The attackers moved from Firebase to GitHub and embedded the C&C address directly into the app. Zimperium's research found a clear financial motive, linking one malware sample to a website that sells stolen phone numbers and OTPs.

The scale of the campaign was staggering:
Over 107,000 malicious apps: Large-scale campaign targeting multiple victims globally.
Over 95% of the malware samples were unknown: Over 99,000 samples were not found in common repositories.
60+ global brands targeted: OTPs from over 600 brands were monitored.
113 countries affected: Russia and India were the main targets.
13 C&C servers: Used to steal and leak SMS.
2,600 Telegram bots: Associated with the campaign.

Most of the malware samples bypassed antivirus software and snuck into users' networks. Researchers have identified 13 C&C servers and a large network of Telegram bots involved in distributing the malware. While Russia and India are the primary targets, victims have been detected in 113 countries, highlighting the global reach of the threat.

To combat this and similar threats, users are advised to:
  • Avoid downloading apps from untrusted sources.
  • Be careful when clicking on links or interacting with Telegram bots.
  • Keep your device up to date with the latest security patches.
Businesses should also deploy robust mobile security solutions to detect and prevent such threats.

Source: BleepingComputer

Post a Comment

0 Comments