Zimperiumβs zLabs uncovered a large-scale Android SMS stealer campaign active since February 2022 that harvests OTPs and other SMS data via a C2 network. The operation uses deceptive ads and Telegram bots to trick users into installing malicious apps, with over 107,000 samples observed across 113 countries and 600+ global brands. #Zimperium #OTPStealer
Keypoints
- Large-scale Android SMS stealer campaign active since Feb 2022, with 107,000+ malware samples and presence across 113 countries and 600+ brands.
- Threat actors use deceptive ads and Telegram bots to distribute apps and lure users into sideloading.
- Malware requests SMS read permissions to intercept and exfiltrate OTPs and other messages.
- Initial C2 methods included Firebase; later campaigns leveraged GitHub repositories and embedded C2 addresses; 13 C2 servers observed.
- OTP/SMS data is exfiltrated to C2 servers over HTTPS; the operation uses a Laravel-based C2 platform in some findings.
- A financial motive is indicated, including a link to fastsms.su and crypto payments for OTP-related services.
MITRE Techniques
- [T1624.001] Event Triggered Execution: Broadcast Receivers β βIt creates a broadcast receiver to receive SMS events.β
- [T1406.002] Obfuscated Files or Information: Software Packing β βIt is using obfuscation and packers to conceal its code.β
- [T1517] Access Notifications β βIt registers a receiver to monitor incoming SMS messages.β
- [T1636.004] Protected User Data: SMS Messages β βIt exfiltrates all the incoming OTP SMS messages.β
- [T1481.003] Web Service: One-Way Communication β βIt sends all the exfiltrated info to a C&C server.β
- [T1646] Exfiltration Over C2 Channel β βIt is using HTTPS protocol to exfiltrate data.β
Indicators of Compromise
- [Domain] fastsms.su β linked to OTP platform and monetization of stolen data.
- [URL] https://github.com/Zimperium/IOC/tree/master/2024-07-OTP-Stealer β repository containing IOCs and related data for the campaign.