The malware spreads through push notifications, alerts, and malvertising on free video streaming, adult sites, and game-hack pages.
TrojanSMS, which the company calls SMSFactory, siphons money from victims worldwide, including the US, France, and Spain, by sending premium SMS and making calls to premium-rate phone numbers.
“These numbers appear to be part of a conversion scheme, where the SMS includes an account number, identifying who should receive the money for the messages sent. Undetected, it can rack up a high phone bill, up to $7 per week or $336 per year, leaving an unpleasant surprise for victims,” cybersecurity company Avast said.
Avast claims it has protected more than 165,000 people worldwide, including users in Russia, Brazil, Argentina, Turkey, and Ukraine, from this threat this year.
One of the discovered SMSFactory versions can also extract victims’ contact lists to spread the malware further. Due to the nature of this malware, the user is unaware of the damage until they receive their phone bill.
Threat actors have been spreading the malware via two malicious Android app stores and targeting people looking for a game hack, adult content, free video streaming, or similar apps.
Avast noted that the bad actors heavily rely on malvertising. It refers to a type of cyberattack when fraudsters embed malicious code in advertisements to get the user’s device injected with malware. The user is prompted to download a file that is made to resemble the site they were redirected from.
Once the victim installs an app, they are met with a welcome screen.
“Clicking accept will activate the app’s malicious behavior. The app then presents the user with a basic menu of videos, adult content, and games that don’t work or aren’t available most of the time,” Avast said.
To avoid similar scams, users should stick to official app stores, limit premium SMS, and, of course, remain vigilant.