SMS Stealers on Telegram: Thousands of Users Targeted in Global Attacks
Cybercriminals are increasingly using Telegram as a command-and-control (C2) server for distributing malware. A recent study by Positive Technologies uncovered over a thousand Indonesian-origin Telegram bots being used to intercept one-time codes required to access various user accounts and services. Victims of these attacks include not only residents of Indonesia, but also users in Russia and Belarus.
Main Types of Malware Used
The majority of the analyzed malware falls into two categories: SMS Webpro and NotifySmsStealer. Instead of developing new malware from scratch, attackers use ready-made templates. The class structures, names, and code of these stealers are identical, differing only in their C2 servers and the format of messages sent via Telegram. NotifySmsStealer stands out from SMS Webpro by being able to steal information not only from messages but also from notifications.
How the Attacks Work
The attacks target regular users who receive phishing messages with an attached APK file. By downloading this file, victims unknowingly install an SMS stealer on their phones, allowing attackers to intercept one-time codes for logging into services. If criminals obtain a one-time password for a banking account, they can withdraw funds from the victimβs account.
Attack Distribution and Victim Geography
During their research, Positive Technologies experts found numerous Indonesian Telegram chats that attract a large number of messages and victims daily. They discovered that the spread of SMS stealers often began with phishing attacks on WhatsApp. As bait, attackers used wedding invitations, bank notifications, and other documents.
According to experts, the majority of victims are Indonesian citizens, with the number of affected users reaching into the thousands. In India and Singapore, the number of malware downloads reached several dozen. Unique types of stealers are active in India and Bangladesh. In Russia, Belarus, and Malaysia, only isolated cases have been recorded.
How to Protect Yourself from SMS Stealers
- Check the file extensions of any files you receive.
- Do not download apps from links in messages sent from unknown numbers, even if the sender claims to be a bank employee.
- When downloading from Google Play, verify the appβs name through official sources.
- Do not download or install apps that request suspicious permissions.
Following these recommendations can significantly reduce the risk of infecting your device with malware and help protect your data from cybercriminals.