A newly discovered mobile malware can rake up quite the phone bill for its victims, cybersecurity pros from Avast have revealed.
The antivirus company recently spotted SMSFactory, a unique malware being distributed among its Brazilian customers, with mobile users in Russia, Ukraine, Turkey, and Argentina also seem to be targeted.
SMSFactory deals damage by having the Android smartphone send phone calls and SMS messages to premium numbers. It’s being distributed by unofficial channels, meaning you won’t find SMSFactory on the Play Store, but you will find it on APKMods, and PaidAPKFree, two mobile app repositories with dubious policies. Avast also says the attackers promote the app with malvertising, push notifications, various promotional pop-ups and websites, videos, and such.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Accessing the contacts list
Among the various permissions the app asks for, researchers have also found, is the permission to access the contact list, so it’s highly likely it uses the list to further expand its reach. Other requested permissions include location data, the permission to make phone calls, send and read SMS messages, wake lock and vibrate, handle overlay, use the entire screen, track notifications, and start various activities from the background.
If these permissions weren’t large enough of a red flag, the Android device will also trigger a warning at installation, telling the potential victim that the app is risky. However, many seem to have turned a blind eye to the warnings, as the app has “tens of thousands” of installations, Avast said.
Once installed, the app will display a message that it doesn’t work or that the service is unavailable. Given that it hides its name and icon, many users struggle to delete it, or apparently forget they have anything installed.
Still, the app continues working in the background, maintaining its connection to the C2 server and sending an ID profile of the infected endpoint.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.