Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving Android threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to runtime manipulation using the LSPosed framework, where a malicious module (e.g., Digital Lutera) hooks SmsManager and TelephonyManager to undermine India’s UPI SIM-binding controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to Telegram; it also uses Socket.IO for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover.
Separately, Acronis TRU (reported by Hackread) identified a fake Red Alert rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal GPS location, SMS/OTP, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via certificate spoofing and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, SurxRAT, that can download and run LLM modules from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., Play Integrity API with MEETS_STRONG_INTEGRITY) where applicable.
Sources
Related Stories
Android Malware Leveraging Legitimate Apps for Surveillance and Theft
Threat actors have increasingly adopted sophisticated techniques to distribute Android malware by disguising malicious applications as legitimate ones on the Google Play Store and other platforms. Notably, the new Cellik Android RAT has been identified as turning legitimate Google Play apps into surveillance tools, enabling attackers to covertly monitor and exfiltrate sensitive user data. In parallel, operations involving the Wonderland SMS stealer have merged dropper, SMS theft, and RAT capabilities at scale, with attackers using fake Google Play Store pages, ad campaigns, and messaging apps to propagate malware, particularly targeting users in Uzbekistan. These campaigns often leverage Telegram for coordination and distribution, and employ advanced methods such as intercepting OTPs and exfiltrating contact lists to facilitate financial theft and evade detection. The evolution of Android malware now includes the use of droppers that appear harmless but deploy malicious payloads locally after installation, even without an active internet connection. The Wonderland malware, attributed to the TrickyWonders group, demonstrates bidirectional command-and-control communication, allowing real-time execution of commands and theft of SMS messages. The convergence of these techniques highlights a growing trend in mobile threat operations, where attackers exploit the trust in legitimate app platforms and social engineering to compromise devices, steal credentials, and siphon funds from victims' bank accounts.
2 months ago
Mobile and Messaging Scams Use Impersonation and Urgency to Steal Credentials and Data
Acronis researchers reported a deceptive Android campaign targeting Israeli users with a trojanized version of the *Red Alert* rocket-warning app distributed via SMS messages impersonating Israel’s Home Front Command. The fake app displays legitimate rocket alerts to reduce suspicion while requesting extensive permissions that enable **GPS tracking**, **SMS interception (including one-time passwords)**, contact harvesting, installed-app enumeration, and account discovery; collected data is exfiltrated to a remote server, and the operators used **certificate spoofing** to make the installation appear as if it came from Google Play. Separate consumer-focused advisories described multiple **social-engineering/phishing** lures delivered via text, email, and calendar invites: an “Amazon recall” SMS that pushes victims to a credential-harvesting site for “refunds,” an “Apple Security Alert” pop-up/text/email that attempts to drive victims to call a fraudulent support number or surrender credentials/2FA/payment details, and a trend of **fake calendar invitations** increasingly appearing in Microsoft Outlook (previously more common in Gmail) using urgent subjects (e.g., “Final Notice”) and domain-reconnaissance to personalize invites; the Outlook example noted mixed authentication signals (DMARC/SPF/DKIM pass/fail across relays), underscoring that users and defenders should treat unsolicited invites and urgent account/payment prompts as high-risk even when messages appear superficially legitimate.
1 weeks ago
Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning **Android banking malware**, **iOS credential-harvesting via App Store listings**, and **Android espionage via trojanized crisis apps**. A new Android banking trojan marketed as **Mirax Bot** was advertised on underground forums as a **Malware-as-a-Service (MaaS)** offering, with claimed capabilities including **700+ app injects**, **Hidden VNC (HVNC)** for stealthy remote control, and features positioned for **account takeover (ATO)** and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described **PromptSpy**, characterized as an Android threat that uses **generative-AI techniques** to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device. In parallel, a phishing operation targeted iPhone users by impersonating **ChatGPT** and **Google Gemini** in emails that directed victims to **fraudulent iOS apps hosted on Apple’s App Store**; the apps (including *GeminiAI Advertising* `id6759005662` and *Ads GPT* `id6759514534`) presented a fake **Facebook login** flow to harvest credentials. Another campaign, **RedAlert**, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as `RedAlert.apk` via **SMS phishing (smishing)**, pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., **SMS**, contacts, precise **GPS**) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
1 weeks ago