Research from Zimperium has unveiled a sophisticated campaign stealing SMS messages. The research refers to this campaign as the SMS Stealer, revealing that the malicious software has been identified in more than 105,000 samples. This suggests the SMS Stealer has a notable reach. 

Key findings from the research include:

• More than 95% of samples were unknown and unavailable.
• OTP text messages were hijacked by malware across more than 600 global brands.
• Around 4,000 samples included pre-embedded phone numbers within Android kit.
• More than 2,600 Telegram bots were connected with the campaign as a distribution channel.

• There were 13 C&C servers discovered that were potentially used to receive stolen SMS messages.

Security leaders weigh in 

Jason Soroko, Senior Vice President of Product at Sectigo:

“The integration of pre-embedded phone numbers in nearly 4,000 samples, coupled with the use of 13 C&C servers and more than 2,600 Telegram bots, underscores the complexity and scale of this operation. We have seen SMS redirection malware in the past, however, the ability of SMS Stealer to intercept OTPs, facilitate credential theft, and enable further malware infiltration poses severe risks. This includes ransomware attacks and financial fraud. This campaign underscores the urgent need for enhanced mobile security strategies, emphasizing robust application permissions management and continuous threat monitoring to safeguard digital identities and enterprise integrity.”

Stephen Kowski, Field CTO at SlashNext Email Security+:

“The SMS Stealer malware’s ability to intercept one-time passwords, and target more than 600 global brands, highlights a critical vulnerability in current security frameworks and demonstrates the sophisticated nature of mobile threats today. Implementing a multi-layered security approach that leverages advanced behavioral analysis, machine learning and real-time threat intelligence is essential to enhance detection and combat these threats effectively. Robust mobile threat defense solutions, proactive defense strategies and continuous security updates play a pivotal role in identifying and neutralizing hidden malware, protecting against financial loss and identity theft, and maintaining the integrity of mobile networks and sensitive user information.”

Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit:

“Subversion of mobile phones is of increasing interest to bad actors seeking to subvert weakly defended one-time password accounts and other sensitive information that can be compromised via SMS malware. Text messages increasingly contain a wealth of sensitive information that can be used for secure authentication as well as extortion of a victim. SMS malware, when combined with other identity access broker data, becomes a toxic cocktail for victims targeted by sophisticated adversaries.”

Darren Guccione, CEO and Co-Founder at Keeper Security:

“The SMS Stealer threat is a stark reminder of the evolving tactics of cybercriminals to exploit unsuspecting victims. This insidious malware leverages fake ads and Telegram bots posing as legitimate services to gain access to victims’ SMS messages, including one-time passwords (OTPs).

“The transmission of stolen SMS messages — and OTPs in particular — is highly concerning. OTPs are a key component of Multi-Factor Authentication (MFA), an important security measure designed to protect accounts. By intercepting these messages, cybercriminals can bypass those MFA protections, gain unauthorized access to accounts and potentially cause very real harm. It’s important to recognize that not all forms of MFA offer the same level of security.

“The impact of SMS Stealer is multifaceted. The malware can intercept and steal OTPs and login credentials, leading to complete account takeovers. With these stolen credentials, attackers can infiltrate systems with additional malware, amplifying the scope and severity of their attacks. They can also deploy ransomware, which encrypts data so they can demand financial payment for recovery. Furthermore, attackers can make unauthorized charges, create fraudulent accounts and execute significant financial theft and fraud. 

“To mitigate such threats, individuals and organizations must remain vigilant and adopt robust security practices. This includes being wary of ads and suspicious messages, regularly updating software and security systems and considering alternative authentication methods that do not rely solely on SMS-based OTPs.”