Man
Professional
- Messages
- 3,057
- Reaction score
- 584
- Points
- 113
Zimperium, a company that specializes in cybersecurity for mobile devices and applications, has uncovered a large-scale malicious campaign to intercept one-time passwords from Android smartphones. The victims were users in 113 countries around the world, among which India and Russia are in the lead, as well as Brazil, Mexico, the USA, Ukraine, Spain and Turkey.
In the latest report, published at the end of July, Zimperium specialists reported that they had identified about 107 thousand different malicious applications. Attackers use these applications to intercept and steal users' one-time passwords designed to confirm online accounts. Fraudsters easily carry out various cyberattacks, as well as make money by renting out infected devices and are used by other cybercriminal groups for further fraudulent purposes.
– Phase 1: Installation of the application. "Wolf in sheep's clothing"
The victim is tricked into installing a rogue app, either through malvertising that mimics the real Google Play Store or through 2,600 automated Telegram bots that communicate directly with the victim.
Below is an example of correspondence between a malicious Telegram bot and a victim. The bot asks the user to confirm that he is not a robot and displays a message allowing access to the phone number. After that, the bot sends a malicious apk file to the victim for installation. The victims are users who are looking for a way to download free applications distributed for a fee in official sources and stores.
- Phase 2: Permit Requests. Gaining access
Once installed, the malicious application asks for permission to read SMS messages. While genuine applications may require permission solely to perform certain functions, the malware request is designed to extract the victim's private text messages.
- Phase 3: C&C server. The "master" of puppets
The malware then accesses its C&C (Command and Control Server), which acts as the brain of operations, executing commands and collecting stolen data. Initially, the malware used the Firebase platform (Google's web and mobile app development tool) to obtain a C&C server address. However, then the attackers adapted their tactics and now use Github repositories or even embed the server address directly into the application itself.
— Phase 4: Communication with the C&C Center. Data Logging and Uploading
The infected device establishes a connection that serves a dual purpose: 1) the malware logs its presence on the server, confirming its operational status, and 2) establishes a channel for the transmission of stolen SMS messages, including the necessary OTP codes.
– Phase 5: Collection of OTP. Silent Interceptor
The final phase, during which the victim's device turns into a silent interceptor. The malware secretly sits on the victim's device and monitors the receipt of incoming SMS messages with one-time passwords designed to log in to the account.
Back in 2022, Trend Micro reported that the service was selling other people's phone numbers. Then experts discovered that attackers used Android devices and combined them into a botnet to massively register disposable accounts or accounts with phone confirmation to commit further fraudulent actions.
The malicious operation discovered by Zimperium specialists highlights the need to inform users about checking the sources from which they install mobile applications on their devices. It also reminds of the use of advanced technologies in the fight against fraud and cyberattacks.
Source
In the latest report, published at the end of July, Zimperium specialists reported that they had identified about 107 thousand different malicious applications. Attackers use these applications to intercept and steal users' one-time passwords designed to confirm online accounts. Fraudsters easily carry out various cyberattacks, as well as make money by renting out infected devices and are used by other cybercriminal groups for further fraudulent purposes.
| One-time passwords (OTPs) are designed to add an extra layer of security when users log in to their accounts across services and apps. They are actively used by companies to protect users' personal data. However, these passwords are just as valuable to attackers. |
What does the process of infecting devices and stealing passwords look like?
– Phase 1: Installation of the application. "Wolf in sheep's clothing"
The victim is tricked into installing a rogue app, either through malvertising that mimics the real Google Play Store or through 2,600 automated Telegram bots that communicate directly with the victim.
Below is an example of correspondence between a malicious Telegram bot and a victim. The bot asks the user to confirm that he is not a robot and displays a message allowing access to the phone number. After that, the bot sends a malicious apk file to the victim for installation. The victims are users who are looking for a way to download free applications distributed for a fee in official sources and stores.
- Phase 2: Permit Requests. Gaining access
Once installed, the malicious application asks for permission to read SMS messages. While genuine applications may require permission solely to perform certain functions, the malware request is designed to extract the victim's private text messages.
- Phase 3: C&C server. The "master" of puppets
The malware then accesses its C&C (Command and Control Server), which acts as the brain of operations, executing commands and collecting stolen data. Initially, the malware used the Firebase platform (Google's web and mobile app development tool) to obtain a C&C server address. However, then the attackers adapted their tactics and now use Github repositories or even embed the server address directly into the application itself.
— Phase 4: Communication with the C&C Center. Data Logging and Uploading
The infected device establishes a connection that serves a dual purpose: 1) the malware logs its presence on the server, confirming its operational status, and 2) establishes a channel for the transmission of stolen SMS messages, including the necessary OTP codes.
– Phase 5: Collection of OTP. Silent Interceptor
The final phase, during which the victim's device turns into a silent interceptor. The malware secretly sits on the victim's device and monitors the receipt of incoming SMS messages with one-time passwords designed to log in to the account.
What else did the experts find out?
According to them, attackers successfully make money on their malicious activities by using the Fast SMS service to buy access to virtual phone numbers. Apparently, the numbers associated with the infected devices were sold without the knowledge of their owners to register accounts.Back in 2022, Trend Micro reported that the service was selling other people's phone numbers. Then experts discovered that attackers used Android devices and combined them into a botnet to massively register disposable accounts or accounts with phone confirmation to commit further fraudulent actions.
The malicious operation discovered by Zimperium specialists highlights the need to inform users about checking the sources from which they install mobile applications on their devices. It also reminds of the use of advanced technologies in the fight against fraud and cyberattacks.
Source
