Threat Research

Lazarus Stealer : Android Malware for Russian Bank Credential Theft Through Overlay and SMS Manipulation

Cyfirma
Lazarus Stealer : Android Malware for Russian Bank Credential Theft Through Overlay and SMS Manipulation

CYFIRMA analyzed an Android banking malware called “Lazarus Stealer” (unrelated to the DPRK-linked Lazarus Group) that disguises itself as GiftFlipSoft to stealthily intercept SMS, monitor apps, deploy phishing overlays, and exfiltrate banking credentials and SMS/OTP data. Infrastructure and code strings link the developer/operator to Russian-language control panels and Telegram, with C2 hosts such as 193.151.108.33 and the domain venom-lazarus.life. #Lazarus_Stealer #venom-lazarus.life

Keypoints

  • Disguised as GiftFlipSoft and hidden from launcher/recent apps to evade user detection.
  • Requests and abuses high-risk permissions including default SMS role, SYSTEM_ALERT_WINDOW, MODIFY_PHONE_STATE, and QUERY_ALL_PACKAGES.
  • Escalates to default SMS app to intercept, read, send, and delete SMS (including OTPs) and runs persistent foreground services (AppMonitorService, SMSForwardService).
  • Monitors app usage in real time and injects phishing overlays over targeted Russian banking apps to harvest PINs, card numbers, and credentials.
  • Loads dynamic WebView content from C2 to display version-specific phishing pages and exfiltrates collected data via HTTP POST to C2 servers.
  • Operator infrastructure hosted on SERV.HOST GROUP LTD with multiple IPs (e.g., 193.151.108.33) and domain venom-lazarus.life; Telegram links and marketplace profiles tie to the developer.
  • Persistence via foreground notifications and boot-start receivers; communications include /check_version and /get_commands endpoints for remote control and SMS-sending commands.

MITRE Techniques

  • [T1474] Supply Chain Compromise – Malware masquerades as a benign utility (GiftFlipSoft) to distribute malicious APK.
  • [T1541] Foreground Persistence – Uses foreground services (SMSForwardService) and persistent notifications like “Critical threat detected, click to continue” to remain active.
  • [T1603] Scheduled Task/Job – Uses periodic runnables and recurring handlers (executing every second) to perform permission checks and monitoring tasks.
  • [T1628] Hide Artifacts – Hides app icon and excludes itself from recent apps (excludeFromRecents=”true”) to evade user detection (“…preventing the app from appearing in the device’s recent apps list…”).
  • [T1406] Obfuscated Files or Information – Code strings and high version numbers used as internal identifiers to manage builds and evade simple detection.
  • [T1417] Input Capture – Captures credentials via phishing overlays and fake login/PIN screens over legitimate banking apps (“…displays a counterfeit PIN entry interface…”).
  • [T1418] Software Discovery – Queries and compares installed package names against a hardcoded list to identify targeted banking apps (“…compares against a hardcoded list of targeted banking application package names…”).
  • [T1426] System Information Discovery – Sends device metadata (user ID, Android version, APK version, model) to C2 for operator awareness.
  • [T1422] Internet Connection Discovery – Uses network checks and communicates with C2 endpoints (e.g., /check_version) to verify connectivity and retrieve commands.
  • [T1414] Input Capture (collection) – Intercepts SMS messages and harvests OTPs via broadcast receivers with maximum priority (“…intercepts SMS_RECEIVED and SMS_DELIVER broadcasts before legitimate messaging applications…”).
  • [T1636.004] SMS Messages – Specifically intercepts and forwards SMS content (sender, body, timestamp) to C2 (“…packages them into a JSON object…transmits the captured SMS content to the attacker’s server.”).
  • [T1437] Application Layer Protocol – Communicates with C2 over HTTP endpoints (e.g., http://193.151.108.33:1133/check_version) to receive commands and WebView URLs (“…establishes communication with the C2 server at http://193.151.108.33:1133/check_version…”).
  • [T1437.001] Web Protocols – Uses HTTP POST requests to send JSON payloads for exfiltration and command retrieval.
  • [T1521] Encrypted Channel – Mentions use of structured channels for operator communication; (note: dynamic WebView and C2 usage for control and content delivery).
  • [T1481] Web Services – Uses web endpoints (/get_webview_url, /get_commands) to dynamically control payloads and retrieve commands.
  • [T1646] Exfiltration Over C2 Channel – Exfiltrates stolen credentials and SMS data via HTTP POST to identified C2 servers (“…issues an HTTP POST request containing the exfiltrated data…”).

Indicators of Compromise

  • [APK Hash] GiftFlipSoft.apk – a19400371168a45aefad4e9972b98a011c1b63534585e7fafac1f7dc42104577 (malicious APK sample).
  • [IP Address] C2/exfiltration – 193.151.108.33, 193.151.108.203 (and other 4 C2 IPs such as 193.151.108.243, 213.21.237.206).
  • [Domain] C2/exfiltration – venom-lazarus[.]life (used for control panels and C2 operations).
  • [File/Service Names] Malicious services/processes – AppMonitorService, SMSForwardService (persistent foreground services used for monitoring and exfiltration).
  • [Network Endpoints] C2 HTTP paths – /check_version, /get_commands, /get_webview_url (endpoints used for version checks, commands, and dynamic WebView URLs).

Read more: https://www.cyfirma.com/research/lazarus-stealer-android-malware-for-russian-bank-credential-theft-through-overlay-and-sms-manipulation/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint