An “insidious’ new SMS smishing malware has been found targeting Android mobile users in the U.S. and Canada as part of an ongoing campaign that uses SMS text message lures related to COVID-19 regulations and vaccine information in an attempt to steal personal and financial data. The malware, discovered by security firm ESET, is disguised as a legitimate SMS message from the American Red Cross (ARC), which claims you have donations to make.

When clicked on an SMS link in the message, along with other malicious links hosted on third-party websites, the user is taken to a malicious web page designed to steal personal and financial data. The page also attempts to install additional malware whose only purpose appears to be collecting information for advertising services. Similar websites hosted by third parties are responsible for disguising other mobile link messages that redirect users to other Trojans posing as antivirus updates.

ESET has found that this malware is targeting Android mobile users in the U.S. and Canada. The malicious messages are not geographically specific to these regions, however, and it is recommended that you not click on any unknown messages, SMS or otherwise, unless you can verify their legitimacy.

The malicious websites sent by the SMS messages redirect to sites hosted by various third-party sites whose only purpose appears to be collecting user information for advertising services. These third-party sites also host other SMS messages unrelated to vaccine information and COVID 19 that attempt to install other malware such as banking Trojans and adware.

These Trojans are just the latest example of cyber-criminals exploiting the COVID 19 regulation to target mobile users. You can read more about these other SMS message scams in an earlier eWEEK article.

Once initiated, the malware installs additional malware on the mobile device in an encrypted state, which ESET researchers believe is for adware, and then sends text messages to numbers in various parts of the world that advertise adult services. It then tries to display a web page that appears to come from “Microsoft Security Essentials,” in order to trick users into believing that their devices are infected with viruses and should be cleaned by following instructions. To further this deception, the malware also attempts to use scare tactics by displaying a screen with a countdown timer for 10 minutes.

The mobile message scam is named Android or Spy.SmsSend and is distributed in multiple stages. The first stage is an SMS text message with a link to the second stage application hosted on an Internet server, which appears as an SMS conversation in the mobile device’s SMS app list. Once clicked on, the link leads users to a web page that acts as a landing page for additional malicious payloads that exploit vulnerabilities in outdated versions of Adobe Flash and Oracle Java and then download and install other malicious payloads.

At this time, ESET researchers are not aware of any specific exploits that are being used to infect devices with malicious payloads. However, the web page mentioned above asks for user information like their device’s MAC address and serial number. This information is then sent back to the hacker, ultimately leading to the hackers’ ability to access the device’s administrator panel.

The malware authors behind this campaign brought together several pieces of malware previously used by several attackers in order to make it more difficult for security researchers to discover exactly what is being installed on devices infected by the message scams. For example, early versions of this malware used legitimate Android app names to launch other malware.

In addition, ESET researchers believe that this campaign is being orchestrated from servers based in the United Kingdom. The command and control servers used for this campaign were found to be hosted on Cloudflare’s networks. In fact, amongst other C&C domains, “hxxp://www.google-analytics.com” was hosted at one of these networks. Though ESET researchers haven’t been able to discover a conclusive connection between these servers and the threat actor behind this campaign, there is a possibility that they are owned by the same group that runs the infamous Hacking Team (HT) server infrastructure that was compromised earlier this year.

The end goal of this android campaign appears to be the same as earlier malware campaigns which used fake antivirus software updates to intercept text messages, in turn gaining access to another device on the network. The malicious SMS message is not unique in its messaging format, which points to overall similarities in the overall infection process of victims with this malware.

This has remained unchanged with previous scams. The cybercriminals behind these scams are looking for any available means by which they can gain access to victims’ devices, whether it’s phishing for credentials or brute-forcing them with ransomware.

Interested in reading more about how malware is targeting users today? Cybercrime Asking Insiders to Plant Malware discusses how malware is being planted by current employees within a business.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, android

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.