Researchers analyze Indonesian Telegram bots used to control malware campaigns, revealing mass SMS/notification stealers (SMS Webpro, NotifySmsStealer) and related variants (Gallery Stealer, ICARD, FalseCaller) distributed across Southeast Asia with Telegram as the command-and-control channel. The study highlights pervasive phishing via WhatsApp and decoy websites, with over 1,000 Telegram bots acting as C2 servers and victims primarily in Indonesia. #SMSWebpro #NotifySmsStealer #LazyKoala #GalleryStealer #ICARD #FalseCaller #WhatsApp
Keypoints
- The research focuses on Telegram-based control servers that coordinate Android APK-based stealers, notably SMS Webpro and NotifySmsStealer, in Southeast Asia, especially Indonesia.
- Two main families of stealers dominate the campaign, both using similar code with different C2 endpoints and Telegram messaging formats.
- Other unique samples include Gallery Stealer (photos exfiltration), ICARD (ICICI Bank impersonation), and FalseCaller (Truecaller impersonation) with notable anti-analysis and deception tricks.
- The operators rely on phishing via WhatsApp and phishing sites to deliver APKs masquerading as banking, delivery notices, wedding invitations, or other services.
- Telegram is used as the C2 channel, with data sent to Telegram bots via API calls, including image exfiltration and notification data.
- The campaigns show evidence of persistence (auto-start on some devices) and data collection of device state, IMSI, and notification content, signaling money and personal data theft intent.
- Victim geography centers on India and Indonesia, with a large Indonesian footprint and scattered activity in Bangladesh, Russia, Belarus, and Malaysia.
MITRE Techniques
- [T1566] Phishing via Service – The chain of infection starts with a typical phishing attack on WhatsApp. “…The chain of infection starts with a typical phishing attack on WhatsApp.”
- [T1071.001] Web Protocols – Telegram is used as a C2 channel to exfiltrate data and control bots; “…Attackers have increasingly started using Telegram as a control server (C2).”
- [T1071.001] Web Protocols – Data is sent to Telegram via API calls; “A POST request to the Telegram API is created, sendPhoto, where the Telegram bot token appears.”
- [T1005] Data from Local System – Gallery Stealer reads local image files and uploads them to the C2; “The app tries to get the names of all .jpg files … The stealer reads the image file and sends it to the C2 server.”
- [T1082] System Information Discovery – The stealer collects device information (Build.FINGERPRINT, Build.TIME, etc.); “Build.FINGERPRINT is the unique identifier of the build; Build.TIME is the UNIX build time…”
- [T1547] Boot or Logon Autostart – Persistence via auto-start on certain devices (OPPO); “auto-start for OPPO brand phones.”
- [T1027] Obfuscated/Compressed Files and Information – Strings in ICARD are encrypted and decrypted via base64 then XOR; “most of the strings are encrypted… base64 decryption, and then a cyclic XOR…”
Indicators of Compromise
- [Domain] – Phishing/C2 domains used by samples – otp-bni.rf.gd, pinjaman-pribadi.com, and 3 more domains (octoclicks.quizfinansial.cloud, 665c7425f6ef0924050d5bc7812d2870.cdn.bubble.io, 281057a700b761e04b22986e2c5809f2.cdn.bubble.io)
- [File] – APK filenames observed in campaigns – SMS Webpro.apk, NotifySmsStealer.apk, ICICI BANK.apk.apk, and 2 more APK variants
- [Certificate] – Example certificate subjects observed in fake/targeted apps – FalseCaller: DN “C:IN, CN:fast, ST:IN”; Common Name “fast”; and Clean TrueCaller: “CN:truecaller”