Thousands of Telegram bots are spreading Malware on Android devices in 113 countries

Android Malware.png

A malicious campaign targeting Android devices worldwide is using thousands of Telegram bots to spread malware that steals SMS and 2FA passwords (OTPs) on more than 600 services. According to a Zimperium research report, it has been tracking the operation since February 2022 and found at least 107000 different malware samples linked to the campaign.

For your information, this scam tactic appears legitimate, by tricking users into clicking links or downloading malicious apps either through malvertising or the use of Telegram bots that communicate directly with the target. For example, users use Telegram bots to get pirated apps for the Android platform. It then asks the user to share a phone number before receiving the APK file.

Screenshot 2024-07-31 115334.png

In addition, after installation, the malicious application will ask for permission to read SMS messages, which will give extensive access to sensitive personal data, including OTP. Zimperium said about 2600 Telegram bots were linked to the campaign, serving as distribution channels for various malicious applications and controlled by 13 command and control (C2) servers.

Moreover, the campaign targeted consumers in 113 countries, with Russia and India being the main targets based on the research sample. In the meantime, Zimperium found an association between the fastsms.su website and one of the malware samples from the campaign. The website allows users to purchase access to a "virtual" phone number in a foreign country, which can be used for anonymization as well as authentication to online platforms and services.

Screenshot 2024-07-31 115315.png

It is very likely that the infected device is actively used by the service without the victim's knowledge. Requested Android SMS access permissions allow malware to obtain OTPs required for account registration and two-factor authentication. To avoid misuse of phone numbers, users are advised not to download. APK files from outside Google Play and do not give risky permissions to applications that have unrelated functions.

 


What are your thoughts about this news? Stay tuned for more news and updates like this at TechNave!