A new malicious campaign has been observed exploiting malicious Android apps to steal users' SMS messages since at least February 2022, as part of a large-scale operation.

The malicious apps, totaling over 107,000 unique samples, are specifically designed to intercept one-time passwords (OTPs) used for online account verification, thereby facilitating identity fraud, according to mobile security firm Zimperium.

Over 99,000 of thee applications are/were unknown and unavailable in generally available repositories, the company said. The malware was monitoring one-time password messages across over 600 global brands, with some brands having user counts in the hundreds of millions.

Victims of the campaign have been observed in 113 countries, with India and Russia topping the list, followed by Brazil, Mexico, the US, Ukraine, Spain, and Turkey.

The attack begins with the installation of a malicious app, which victims are tricked into installing on their devices. This is achieved either through deceptive ads mimicking Google Play Store app listings or any of the 2,600 Telegram bots that serve as distribution channels by masquerading as legitimate services (e.g., Microsoft Word).

The actors behind this malware campaign employed a variety of tactics to compromise their victims, including malicious advertisements masqueraded as legitimate sources, that tricked users into clicking on malicious links leading to malware infections.

In addition to using malicious ads to deceive users into installing malware, the threat actors also used Telegram bots to distribute the SMS stealing malware. These Telegram bots, posing as legitimate services, tricked victims into downloading unique malicious applications disguised as legitimate APKs.

Once installed, the app requests permission to access incoming SMS messages. After obtaining this permission, it reaches out to one of the 13 command-and-control (C2) servers to transmit stolen SMS messages.

The threat actor behind the campaign has been observed accepting various payment methods, including cryptocurrency, to fuel a service called Fast SMS, which allows customers to purchase access to virtual phone numbers.

“Upon further investigation into this particular sample, we can see the malware transmitting SMS messages from the infected device to a specific API endpoint on this domain. The malware actively searches for incoming messages originating from a global cloud email and office suite provider. This focus on messages from this service suggests a particular interest in intercepting one-time passwords (OTPs), likely used for two-factor authentication on associated accounts or services linked to the stolen phone numbers,” the company noted.