Select Page

Socially engineered SMS messages are being used to install malware on Android devices as part of a widespread phishing campaign that impersonates the Iranian government and social security services to make away with credit card details and steal funds from victims’ bank accounts.

Unlike other variants of banking malware that bank of overlay attacks to capture sensitive data without the knowledge of the victim, the financially motivated operation uncovered by Check Point Research is designed to trick the targets into handing over their credit card information by sending them a legitimate-looking SMS message that contains a link, which, when clicked, downloads a malware-laced app onto their devices.

“The malicious application not only collects the victim’s credit card numbers, but also gains access to their 2FA authentication SMS, and turn[s] the victim’s device into a bot capable of spreading similar phishing SMS to other potential victims,” Check Point researcher Shmuel Cohen said in a new report published Wednesday.

The cybersecurity firm said it uncovered several hundred different phishing Android applications that masqueraded as device tracking apps, Iranian banks, dating and shopping sites, cryptocurrency exchanges, and government-related services, with these botnets sold as a “ready-to-use mobile campaign kit” on Telegram channels for anywhere between $50 to $150.

The smishing botnet’s infection chain commences with a fake notification from the Iranian Judiciary urging users to review a supposed complaint filed against the recipients of the message. The link to the complaint directs the victims to what ostensibly looks like a government website, where they are asked to enter their personal information (e.g., name, phone number, etc.) and download an Android APK file.

Once installed, the rogue application not only requests for invasive permissions to perform activities that are not generally associated with such government apps, it also presents a fake login screen that mimics Sana, the country’s electronic judicial notice system, and prompts the victim that they need to pay a $1 fee to proceed further.

images from Hacker News