The actors behind a series of ongoing SMS phishing scams targeting Europe-based Android users have not only intensified their campaigns, but also significantly upgraded the credentials-stealing malware that's been infecting their victims.
Researchers at FireEye last April initially analyzed three related smishing campaigns targeting Denmark and Italy – all with the same command-and-control communications protocol, and all featuring Android malware that steals credentials by creating fake, malicious overlays of legitimate Android apps. But in a new blog post yesterday, FireEye revealed that the campaigns have grown in number to five, and also expanded their attack range to include users in Germany and Austria and to a lesser extent the U.K. and Norway.
In its new report, FireEye remarked that from Feb. 2016 to June 2015, its researchers observed red 55 malicious binaries used for smishing campaigns across Europe. In all of these instances, the corresponding malware – referred to in older cases as Mazar Bot – constantly monitors infected devices to determine which apps are actively running in the foreground. If an activated app is among its programmed targeted, the malware then overlays the real app with an imposter. Users think they are entering their credentials on the legit app's input user interface, but instead that data is actually communicated to one of 12 malicious command-and-control servers, located in five locations around the world.
According to FireEye, the smishing scams have significantly evolved their tactics in the last few months. For instance, in their infancy, the campaigns primarily targeted Android banking and financial apps, including MobilePay in Denmark. But now they are targeting less obvious, seemingly benign apps such as WhatsApp in Italy and Germany, and Google Play, Uber, YouTube and Wechat in Denmark and Austria. FireEye researcher Wu Zhou said that these apps were likely chosen because they are “very popular” and “have a much, much larger user base” compared to previous targets.
The five campaigns are officially named as follows: MPay-Denmark, Whats-Italy, Whats-Germany, PostDanmark and Post-Austria.
Furthermore, the malware has taken steps to circumvent the “App Ops” permissions process that Google introduced in Android 4.3 in order to allow users to set app restrictions at runtime rather than during installation. In programming terms, the malware uses reflection to bypass the SMS writing restriction normally enforced by App Ops. The malware also has become more difficult to analyze due to clever obfuscation techniques, FireEye added.
Distribution of this malware comes via a diverse variety of attack vectors, including self-registered domains, compromised websites and URL shortening services. FireEye was able to examine the link analytics associated with 30 short links known to redirect users to the overlay malware, and found that they generated over 161,000 clicks.
Typically, users are fooled into downloading the apps after receiving text messages that entice them to click on a malicious link. In two of the campaigns affecting Denmark and Austria, the downloaded malware arrives disguised as the official applications of the respective countries' post offices.