A new report released today from mobile security platform provider Zimperium Inc. is warning of a new and potent threat that hijacks onetime password text messages, posing significant risks to account security and personal data.
Called SMS Stealer, the malicious software has been identified in over 105,000 samples across more than 600 global brands, highlighting its extensive reach and risks, including account takeovers and identity theft.
SMS Stealer uses fake ads and Telegram bots posing as legitimate services to trick victims into gaining access to their SMS messages. Once access is granted, the malware connects to one of its 13 command-and-control servers, confirms its status and then begins transmitting stolen SMS messages, including OTPs.
OTPs have become a highly popular way for financial companies and others to add an additional layer of security to online accounts. Anyone with a bank account knows how it works – you get sent an SMS message with an OTP that is used to confirm a transaction, but SMS Stealer’s ability to intercept those messages undermines the security feature, giving bad actors the ability to gain control over potential victims’ accounts. SMS Stealer remains hidden on infected devices, allowing for continuous attacks.
The SMS Stealer malware can intercept and steal OTPs and login credentials, leading to complete account takeovers, infiltration of systems with additional malware and deployment of ransomware, resulting in data encryption and financial demands for recovery. Additionally, attackers can make unauthorized charges, create fraudulent accounts and facilitate significant financial theft and fraud.
Stephen Kowski, field chief technology officer at email security company SlashNext Inc., told SiliconANGLE that the “malware’s ability to intercept onetime passwords and target more than 600 global brands highlights a critical vulnerability in current security frameworks and demonstrates the sophisticated nature of mobile threats today.”
Darren Guccione, co-founder and chief executive at cybersecurity company Keeper Security Inc., noted that SMS Stealer “is a stark reminder of the evolving tactics of cybercriminals to exploit unsuspecting victims.”
“The transmission of stolen SMS messages – and OTPs in particular – is highly concerning,” Guccione added. “By intercepting these messages, cybercriminals can bypass those multifactor authentication protections, gain unauthorized access to accounts and potentially cause very real harm.”