Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

SMSFactory Android malware sneakily subscribes to premium services

Security researchers are warning of an Android malware named SMSFactory that adds unwanted costs to the phone bill by subscribing victims to premium services.

The number of its victims is unclear but attempts to infect Android devices have been recorded for tens of thousands of Android users protected by Avast security products in at least eight countries.

SMSFactory has multiple distribution channels that include malvertising, push notifications, promotional pop-ups on sites, videos promising game hacks or adult content access.

According to Avast, SMSFactory targeted more than 165,000 of its Android customers between May 2021 to May 2022, most of them located in Russia, Brazil, Argentina, Turkey, and Ukraine.

SMSFactory heatmap
SMSFactory heatmap (Avast)

While SMSFactory’s main goal is to send premium text and make calls to premium phone numbers, Avast researchers noticed a malware variant that can also steal the contact list on compromised devices, likely to be used as another distribution method for the threat.

Jakub Vávra of Avast notes that SMSFactory is hosted on unofficial app stores. ESET researchers found the malicious APK package on APKMods and PaidAPKFree, two Android app repositories that lack vetting and proper security policies for the listed products.

SMSFactory’s stealthy operation

The SMSFactory APK may come under different names and when trying to install it on the device, a warning kicks in from Play Protect – Android’s built-in security system, alerting users about the potential security risk from the file.

Play Protect warning
Play Protect warning (Avast)

The permissions requested upon installation include accessing location data, SMS, ability to make phone calls and send SMS, wake lock and vibrate, manage overlay, use the entire screen, monitor notifications, and start activities from the background.

These are all permissions indicative of malicious activity, but careless users who look forward to accessing the promised content are likely to allow them without reviewing.

Once installed, the app shows the victim a fake content screen to a service that doesn’t work or is mostly unavailable.

The app itself has no assigned name or icon and can remove the latter from the screen to make more difficult its removal after exiting. As a result, most victims assume that something went wrong with the installation and don’t give another though about the app.

SMSFactory using no icon or name
SMSFactory using no icon or name (Avast)

However, SMSFactory continues to operate in the background, establishing a connection to the command and control (C2) server and sending an ID profile of the infected device.

If the campaign operators deem the device usable, they send back instructions and subscribe the victim to premium services.

One of the most recent variants of the SMSFactory malware can also add admin accounts on the device, likely required for the SMS distribution using the contact list.

How to stay safe

To avoid larger bills, users are recommended to download apps only from trusted sources, such as Google Play. They should keep at a minimum the number of applications they’re using and read reviews from other users before installing anything.

Additionally, keep your operating system updated to the latest available version for your device and run regular scans via Play Protect.

For malware that subscribes to premium services, some carriers offer the option to disable or limit this action.

Source: https://www.bleepingcomputer.com/news/security/smsfactory-android-malware-sneakily-subscribes-to-premium-services/

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Cyber Security

AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection. A crypter is a kind of software that can...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO