SMS Messages Stealing Billions of Rials from Citizens of Iran

In the midst of major cyber-attacks targeting the general population of Iran, Check Point Research sees ongoing malicious campaigns using socially engineered SMS messages to infect tens of thousands of devices of Iran's citizens. The SMS messages, designed to impersonate the Iranian government, lure victims into downloading malicious Android applications that steal credit card credentials, personal SMS messages and two-factor authentication codes. The threat actors then proceed to make unauthorized money withdrawals and turn each infected device into a bot, spreading the malware to others. Check Point Research attributes attacks to threat actors, likely in Iran, who are financially motivated.

The threat actors involved leverage a technique known as "smishing" botnets, where compromised devices are used as bots to spread similar phishing SMS messages to other potential victims. The threat actors use multiple Telegram channels to promote and sell their tools. For $50-$150, the threat actors provide a full “Android Campaign Kit”, including the malicious application and underlying infrastructure, with a control panel that can be easily managed by any unskilled attacker via a simple Telegram bot interface.

The report further states that, in the midst of major cyber attacks targeting the general population of Iran, including cyber attacks on the railways, gas stations and more. Check Point Research attributes these latest cyber attacks to threat actors who are motivated purely by financial gain.

Check Point Research estimates that the threat actors behind these attacks compromised and installed malware on tens of thousands of Android devices, resulting in the theft of billions of Iranian Rials from victims, with estimates of $1,000 to $2,000 per victims. Furthermore, the investigation reveals that the data stolen from victims' devices is freely accessible to third parties online, as it has not been protected.

The Android backdoor capability includes:

- SMS stealing: Immediately after the installation of the fake app, all the victim's SMS messages are uploaded to the attacker's server.

- Hiding to maintain persistence: After the credit card information is sent to the threat actor, the application can hide its icon, making it challenging for the victim to control or uninstall the app.

- Bypass 2FA: having access to both the credit card details and SMS on the victim's device, the attackers can proceed with unauthorized withdrawals from the victim’s bank accounts, hijacking the 2FA authentication (one-time password)

- Botnet Capabilities: The malware allows the attacker to execute additional commands on the victim's device, such as stealing contacts and sending SMS messages.

- Wormability: The app can send SMS messages to a list of potential victims, using a custom message and a list of phone numbers both retrieved from the C&C server. This allows the actors to distribute phishing messages from the phone numbers of typical users instead of from a centralized place and not be limited to a small set of phone numbers that could be easily blocked. This means that technically, there are no "malicious" numbers that can be blocked by the telecommunication companies or traced back to the attacker.

S Mohini Ratna, Editor, VARINDIA