Hackers exploit bug in SMS verification services to infect Android devices, according to the analysis of SMS phone-verified account (PVA) services.
The recent finding brings to light the flaws of relying on SMS for account validation. The SMS PVA services have been around since 2018, and provide users with alternative mobile numbers. Users can use this number to register for other online services and platforms, thus enabling them to bypass SMS-based authentication and single sign-on (SSO) mechanisms put in place to verify new accounts.
Trend Micro researchers in a report published last week said, “This type of service can be used by malicious actors to register disposable accounts in bulk or create phone-verified accounts for conducting fraud and other criminal activities.”
The company gathered telemetry data which suggest most of the infections are located in Indonesia (47,357), followed by Russia (16,157), Thailand (11,196), India (8,109), France (5,548), Peru (4,915), Morocco (4,822), South Africa (4,413), Ukraine (2,920), and Malaysia (2,779).
Most of the devices affected are budget Android phones assembled by original equipment manufacturers such as Lava, ZTE, Mione, Meizu, Huawei, Oppo, and HTC.
Findings suggest Android phones infected with SMS-intercepting malware compromised one service dubbed smspva[.]net. This may have been done either through malware downloaded accidentally by the user or through malicious software preloaded into the devices during manufacturing, implying a supply-chain compromise.
The underground VPA service advertises via an API “bulk virtual phone numbers” for use on various platforms. Additionally, it also claims to be in possession of phone numbers spanning across more than 100 countries.
While the Guerrilla malware (“plug.dex“), is engineered to parse SMS messages received on the affected Android phone. It checks for specific search patterns received from a remote server and then exfiltrates the messages that match those expressions back to the server.
The researchers further added, “The malware remains low-profile, collecting only the text messages that match the requested application so that it can covertly continue this activity for long periods. If the SMS PVA service allows its customers to access all messages on the infected phones, the owners would quickly notice the problem.”
SMS PVA services are able to get around the restrictions, many online portals are often used to authenticate new accounts by cross-checking the location (i.e IP address) of the users against their phone numbers during registration. They do it by making use of residential proxies and VPNs to connect to the desired platform.
CISA Accuses Russia-backed Hackers of Stealing info from U.S. defense contractors
Saudi Women’s rights activist iPhone Revealed Political Hacking around the World
VMware Security Patches for High-Severity Flaws Affecting Multiple Products