Dynamically Evolving SMS Stealer Threatens Global Android Users

A novel malware with more than 107,000 samples that has been targeting Android devices for more than two years is stealing SMS messages to acquire one-time passwords (OTPs) and other sensitive user data for further malicious activity.

The malware, aptly dubbed "SMS Stealer" and which has a substantial cybercriminal infrastructure behind it, spreads via dynamically changing mobile apps distributed through Telegram messages or ads for legitimate apps, researchers from mobile security provider Zimperium zLabs have found.

Since February 2022, the researchers have been tracking the stealer, which so far has been downloaded by victims in 113 countries, with India and Russia topping the list, Zimperium researchers Aazim Bill SE Yaswant, Rajat Goyal, Vishnu Pratapagiri, and Gianluca Braga a outlined in blog post published on July 30. The campaign appears, in part, to be financially motivated by well-organized attackers who have at least 13 command-and-control (C2) servers and 2,600 Telegram bots at their disposal.

This ever-evolving campaign makes it particularly dangerous, as it can evade "traditional signature-based detection methods," making it difficult for defenders to discover "without a sophisticated, on-device malware engine capable of detecting zero-day malware," Nico Chiaraviglio, Zimperium chief scientist, says.

"[The malware's] ability to be dynamically generated and distribute unique malicious applications through multiple threat vectors to specific device users suggests a high level of sophistication and adaptability on the part of the threat actors," he says.

Indeed, more than 99,000 of the malware samples analyzed by researchers were unknown and unavailable in generally available repositories, demonstrating that the campaign has remained largely undocumented by defenders over nearly two and a half years. Moreover, attackers are targeting more than 60 top-tier global brands in terms of the OTP messages the malware intercepts, with some brands having users in the hundreds of millions.

For its part, a Google spokesperson tells Dark Reading, "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."

Multiphase Campaign

The process of encountering the malware to infection and theft of SMS and other data takes place over several stages and is likely aimed at conducting further malicious activity with the stolen data, the researchers found.

"These stolen credentials serve as a springboard for further fraudulent activities, such as creating fake accounts on popular services to launch phishing campaigns or social engineering attacks," the researchers wrote in the post.

The campaign begins when an Android user is tricked into sideloading a malicious application, either through a deceptive ad mimicking a legitimate app store, or through the usage of automated Telegram bots communicating directly with the target and using social engineering to get them to engage. Upon installation, the malicious application requests permission to read SMS messages, "a high-risk permission on Android that grants extensive access to sensitive personal data," according to the post.

"While legitimate applications may require SMS permissions for specific, well-defined functions, this particular app's request is likely unauthorized and intended to exfiltrate the victim's private text message communications," the researchers wrote.

Once it gains permissions, the malware reaches out to find an address for a C2 server and then sets up a connection to transmit commands to be executed as well as stolen SMS messages. In the fifth and final phase, attackers transform the victim's device into "a silent interceptor" on which the malware remains hidden and constantly monitors incoming SMS messages mainly for valuable OTPs for online account verification.

"Urgent Need" for Better Mobile Defense

While stealing SMS messages for financial gain is by no means a new threat, the dynamic and persistent approach of attackers in the campaign demonstrates "a refined and efficient attack method" that demands immediate response, Chiaravigli notes.

Indeed, the growing proliferation of mobile malware, particularly pervasive and stealthy apps that can steal valuable OTPs, pose a significant threat to both individuals as well as enterprises, experts say. They not only invade users' privacy, but the sensitive data they access can provide a springboard for a range of malicious activity like credential theft, financial fraud, and ransomware.

"We have seen SMS redirection malware in the past, however, the ability of SMS Stealer to intercept OTPs, facilitate credential theft, and enable further malware infiltration poses severe risks," notes Jason Soroko, senior vice president of product at Sectigo, a certificate life-cycle management provider.

This underscores the "urgent need" for organizations to adopt enhanced mobile security strategies that in particular stress the management of application permissions and continuous threat monitoring "to safeguard digital identities and enterprise integrity," he says.

New defense strategies should be multilayered and include a combination of advanced behavioral analysis, machine learning, and real-time threat intelligence, adds Stephen Kowski, field CTO at SlashNext Email Security+, saying, "Robust mobile threat defense solutions, proactive defense strategies, and continuous security updates play a pivotal role in identifying and neutralizing hidden malware."