Multifactor Authentication Under Siege: The Growing Threat of Telegram Bots and SMS Stealing Malware

0
79

The world of cybersecurity is constantly evolving, with new threats emerging at an alarming pace. One of the latest and most concerning trends involves the use of Telegram bots to steal one-time passwords (OTPs) and SMS messages, posing a significant risk to multifactor authentication (MFA) systems. This detailed article delves into the intricacies of this malicious campaign, its methods, and its global impact, while providing an analysis of the malware involved and its broader implications.

Introduction to the Threat

Zimperium, a leading cybersecurity firm, has uncovered a malicious campaign targeting Android devices worldwide. The attackers leverage thousands of Telegram bots to infect devices with malware designed to steal SMS messages and OTPs used for two-factor authentication (2FA) from over 600 services. This campaign, active until February 2022, has involved at least 107,000 different malware samples. The primary targets are users in India and Russia, but victims have also been found in Brazil, Mexico, and the United States, with a total of 113 countries affected.

Malware Distribution and Infection Methods

The malware operators are motivated by financial gain, using infected devices as relays for authentication and anonymization. The SMS-stealing malware is distributed via two primary methods: malicious advertising and Telegram bots.

  • Malicious Advertising: Victims are lured through advertising links to pages mimicking the Google Play Store. These pages display inflated download numbers to create an illusion of legitimacy and safety.
  • Telegram Bots: Bots promise to provide victims with pirated Android apps, but require the user’s phone number before sharing the APK file. This allows the bot to create a personalized APK to track the user and execute other attacks.

Once on the victim’s device, the malware requests permission to access SMS, enabling it to intercept OTPs necessary for account registration and 2FA. Approximately 2,600 Telegram bots are used to promote various APKs, controlled by 13 command-and-control (C2) servers. The intercepted SMS messages are then transmitted to an API endpoint on the fastsms[.]su website, which offers access to virtual phone numbers in foreign countries for anonymization and authentication on various platforms.

Detailed Analysis of Core Malware

SMS Webpro

Functionality and Permissions

SMS Webpro is an SMS-stealing malware that masquerades as a legitimate application, often a wedding invitation. The app requires extensive permissions, including the ability to read, send, and intercept SMS messages, and access the network.

Operational Mechanism

The core functionality resides in the com.example.myapplication namespace, particularly in the MainActivity, ReceiveSms, and SendSMS classes. The MainActivity class launches the app and requests permissions, diverting the user’s attention by opening a web page. Upon receiving permissions, the malware sends a message to the bot, notifying it of a new user, identified by the unique parameters of their phone, such as Build.FINGERPRINT and Build.TIME.

SMS Interception

The ReceiveSms class filters the android.provider.Telephony.SMS_RECEIVED intent, extracting the text and phone number of the sender from incoming messages. This data is then sent to the Telegram bot. The SendSMS class can send messages to the server if certain conditions are met, such as the message starting with “55555”.

NotifySmsStealer

Extended Functionality

NotifySmsStealer extends the functionality of SMS Webpro by also stealing notifications. It requires more extensive permissions, including the ability to track notifications and recover after a reboot.

Notification Service

The NotificationService class handles incoming notifications, extracting the Title, Text, and Data parameters. This information is sent to the MainActivity class via a dynamically registered BroadcastReceiver, which then sends it to the Telegram bot.

Unique Malware Samples

Gallery Stealer

Gallery Stealer, identified in early 2024, primarily targets India. It requests numerous permissions, including access to the device’s memory and contacts. The malware collects .jpg files from the device’s camera folder and sends them to the C2 server using a Telegram bot.

FalseCaller

FalseCaller mimics the Truecaller app, but its certificate is fake. It targets Indian users, filtering intents for notifications, SMS, and calls. Only notification messages reach the C2 server due to priority settings.

ICARD

ICARD imitates the ICICI Bank app but uses a fake certificate. It requires permissions specific to OPPO and Huawei phones. The app opens a phishing page that mimics the ICICI Bank login, collecting user credentials.

Phishing and Distribution Methods

Phishing is the most common method of spreading these malware apps. Victims receive messages with APK files attached, often masquerading as legitimate services. Phishing sites also distribute these apps, mimicking banking apps and other services.

The use of Telegram bots as C2 servers for SMS-stealing malware poses a significant threat to MFA systems. This malicious campaign highlights the need for enhanced cybersecurity measures and user awareness to prevent such attacks. By following basic safety rules, users can protect themselves from these sophisticated threats, ensuring their personal information and financial data remain secure.


Copyright of debuglies.com
Even partial reproduction of the contents is not permitted without prior authorization – Reproduction reserved

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.