Over 100,000 Malware Android Apps Steal OTP Codes

A new malicious campaign has been identified, using Android apps to steal users’ SMS messages since at least February 2022. These apps are part of a large-scale effort to intercept one-time passwords (OTPs) used for online account verification, facilitating identity fraud.

The campaign involves over 107,000 unique malicious app samples, designed to intercept OTPs. “Of those 107,000 malware samples, over 99,000 were unknown and unavailable in generally available repositories,” mobile security firm reported. “This malware monitored OTP messages across over 600 global brands, some of which have user counts in the hundreds of millions.”

Victims have been detected in 113 countries, with India and Russia being the most affected, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey.

The attack begins when a victim is tricked into installing a malicious app, either through deceptive ads mimicking Google Play Store listings or via one of the 2,600 Telegram bots masquerading as legitimate services like Microsoft Word. Once installed, the app requests permission to access incoming SMS messages and then connects to one of 13 command-and-control (C2) servers to transmit the stolen messages.

“The malware remains hidden, constantly monitoring new incoming SMS messages,” the researchers explained. “Its primary target is OTPs used for online account verification.”

The identity of the threat actors remains unknown, although they accept various payment methods, including cryptocurrency, to support a service called Fast SMS (fastsms[.]su). This service allows customers to purchase access to virtual phone numbers, likely using infected devices without the owner’s knowledge to register for online accounts and harvest OTPs required for two-factor authentication (2FA).

In early 2022, researcher highlighted a similar service that created a botnet of Android devices to “register disposable accounts in bulk or create phone-verified accounts for conducting fraud and other criminal activities.”

“These stolen credentials serve as a springboard for further fraudulent activities, such as creating fake accounts on popular services to launch phishing campaigns or social engineering attacks,” researcher added.

The findings underscore the ongoing abuse of Telegram, a popular instant messaging app with over 950 million monthly active users, by malicious actors for purposes ranging from malware propagation to C2 communication.

Another malware, TgRAT, uses Telegram as a C2 server. This Windows remote access trojan, recently updated to include a Linux variant, can download files, take screenshots, and run commands remotely.

“Telegram is widely used as a corporate messenger in many companies,” researcher noted. “Therefore, it is not surprising that threat actors use it as a vector to deliver malware and steal confidential information. The program’s popularity and routine traffic to Telegram’s servers make it easy to disguise malware on a compromised network.”

To prevent malware infections on your Android device, only install apps from reputable sources like the Google Play Store. Review app permissions carefully and avoid granting unnecessary access to sensitive information. Use reliable mobile security software to detect and block malicious apps. Be cautious of phishing attempts through SMS and other messaging platforms, and enable two-factor authentication (2FA) to protect your accounts from unauthorized access.