Cybercriminals Have Deployed Over 100,000 Apps With Malware To Steal Your 2FA Codes

A new large-scale malicious campaign has been observed using Android apps to steal users' SMS messages, specifically targeting one-time passwords (OTPs) used for online account verification. This campaign has been active since at least February 2022 and involves over 107,000 unique samples of malicious apps.

The Threat: Malicious Android Apps

How the Campaign Works

The malicious apps are designed to intercept OTPs, which are crucial for online account verification. Here's a step-by-step breakdown of how these apps operate:

1. Deceptive Installation: Victims are tricked into installing the malicious app through deceptive ads that mimic legitimate app listings on the Google Play Store or via Telegram bots pretending to be legitimate services like Microsoft Word.

2. Permission Request: Once installed, the app requests permission to access incoming SMS messages.

3. Data Transmission: The app then connects to one of 13 command-and-control (C2) servers to transmit the stolen SMS messages.

4. Monitoring: The malware continuously monitors incoming SMS messages, primarily targeting OTPs used for two-factor authentication (2FA).

Scope and Scale

According to mobile security firm Zimperium, the campaign has targeted over 600 global brands and has been detected in 113 countries. The majority of victims are in India and Russia, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey.

Who Is at Risk?

Global Reach

Victims of this campaign are spread across 113 countries, making it a global threat. Individuals in countries with high digital activity, such as India, Russia, Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey, are particularly at risk.

Users of Online Services

Anyone who uses online services that require OTPs for verification is at risk. This includes users of banking services, social media platforms, and any other online service that implements two-factor authentication.

Android Device Users

Android users are specifically targeted due to the nature of the malware. Those who frequently download apps from unofficial sources or who do not scrutinize app permissions are at higher risk.

How to Protect Yourself

Strengthening Security Measures

1. Use Trusted Sources: Only download apps from reputable sources like the Google Play Store. Avoid downloading apps from links received via email, SMS, or social media.

2. Check App Permissions: Always review the permissions an app requests before installation. Be cautious of apps that ask for unnecessary permissions, such as access to SMS messages.

3. Install Security Software: Use reputable mobile security apps to scan for and block malicious applications.

Monitoring and Vigilance

1. Stay Informed: Keep up-to-date with the latest security threats and best practices. Follow cybersecurity news and updates.

2. Monitor Your Accounts: Regularly check your bank accounts, social media accounts, and other online services for unauthorized activities.

3. Enable Security Features: Use additional security features offered by your phone and online services, such as app permission management and account activity alerts.

Educating Yourself and Others

1. Recognize Phishing Attempts: Be aware of phishing attempts, especially those that come via WhatsApp or other messaging platforms. Do not click on suspicious links or download attachments from unknown sources.

2. Educate Others: Inform family and friends about the risks of downloading apps from unofficial sources and the importance of app permissions.

The Role of Telegram in Malware Distribution

Abuse of Popular Platforms

Malicious actors are increasingly using popular platforms like Telegram to distribute malware and control infected devices. Telegram, with over 950 million monthly active users, provides a convenient and popular medium for these activities.

Recent Discoveries

1. SMS Stealer Families: Positive Technologies recently identified SMS stealer families such as SMS Webpro and NotifySmsStealer targeting users in Bangladesh, India, and Indonesia.

2. TgRAT: A Windows remote access trojan that uses Telegram as a C2 server, now also has a Linux variant. This malware can download files, take screenshots, and execute remote commands.

Conclusion

The discovery of this large-scale campaign using malicious Android apps to steal SMS messages underscores the need for vigilance and robust security practices. By understanding the risks and taking proactive measures, users can protect themselves from such sophisticated threats. Regular updates, cautious downloading practices, and continuous monitoring are essential to safeguard against these malicious activities. Stay informed, stay secure.