At least six countries, if not more, have been hit by a smishing (SMS phishing) campaign targeting Android devices, security firm FireEye reports.
Crooks are spamming users with SMS messages across different countries via targeted campaigns, luring users to access malicious URLs and install malware-infected applications.
The role of these apps is to show fake login screens over legitimate applications and collect the user’s credentials, which are then logged on the attacker’s servers.
Crooks targeted users in separate countries for months
FireEye says the crooks behind this latest smishing wave are running smaller localized campaigns, targeting one country at a time, focusing on one app, sometimes more. FireEye detected five different campaigns from the start of the year:
1. In February and March, crooks targeted users in Denmark with an app that showed phishing overlays for the MobilePay app from DanskeBank.
2. In February, crooks targeted users in Italy with a fake app that showed phishing overlays for WhatsApp.
3. In March, crooks targeted users in Germany with a fake app that showed phishing overlays for Google Play and WhatsApp.
4. From March to June, crooks carried out their biggest operation and targeted users in Denmark, Germany, Italy, Norway, and the UK, with a malicious app that collected credentials for eight legitimate apps, with the biggest being Uber, YouTube, and Wechat.
5. In April and May, crooks ran the same operation, but this time targeted only users located in Austria.
Over 160,000 users are possibly affected
For these campaigns, crooks used URL shortening services to mask the location of their malicious link. Since most URL shortening services provide analytics, FireEye says that in total, it discovered that users opened the 30 malicious links it detected 161,349 times.
27 of the 30 malicious links were hosted on Bit.ly, while the other services involved are tr.im, jar.mar, and is.gd.
FireEye identified twelve C&C servers used to coordinate the smishing campaigns, hosted on self-registered domains or compromised websites.
The security firm says that these malicious apps distributed via the SMS phishing campaign used advanced obfuscation to evade detection and used the code reflection technique to bypass SMS writing restrictions enforced by the App Ops service introduced in Android 4.3.
“The latest Smishing campaigns spreading in Europe show that Smishing is still a popular means for threat actors to distribute their malware,” FireEye observed. “To protect against these threats, FireEye suggests that users not install apps from outside official app stores, and take caution before clicking any links where the origin is unclear.”