SMSFactory Android Trojan producing excessive prices for victims

Avast has been monitoring a wide-spread malware marketing campaign consisting of TrojanSMS malware, which we’re calling SMSFactory. SMSFactory sneakily siphons cash from victims around the globe, together with Russia, Brazil, Argentina, Turkey, Ukraine, US, France and Spain, amongst others, by sending premium SMS and making calls to premium-rate telephone numbers. These numbers seem like a part of a conversion scheme, the place the SMS contains an account quantity, figuring out who ought to obtain the cash for the messages despatched. Undetected, it could possibly rack up a excessive telephone invoice, as much as $7 per week or $336 per 12 months, leaving an disagreeable shock for victims. One model we discovered can be able to extracting victims’ contact lists, more likely to unfold the malware additional. 

We now have dubbed the malware SMSFactory as a result of its features, in addition to class names in its code, one among which is known as SMSFactory. 

In accordance with my analysis, the malware is spreading by means of malvertising, push notifications, and alerts displayed on websites providing recreation hacks, grownup content material, or free video streaming websites, serving the malware disguised as an app during which customers can entry gaming, movies, or grownup content material. As soon as put in, the malware hides itself, making it practically unimaginable for victims to detect what’s inflicting the costs on their telephone payments. 

A collection of internet sites have been arrange with the aim of spreading and distant management of the malware. Avast has protected greater than 165,000 Avast customers from SMSFactory previously 12 months (Might 2021-Might 2022), with the very best variety of customers protected in Russia, Brazil, Argentina, Turkey and Ukraine.

Silently sending $ignals

The unhealthy actors behind SMSFactory depend on malvertising to drive their marketing campaign. Malvertising refers back to the misuse of adverts to redirect customers to websites with malware payloads, and may typically seem on web sites offering free streaming of movies and TV exhibits, grownup content material, or torrent aggregators, however might often seem on mainstream websites as nicely. 

The redirect on this case results in an internet site such because the one within the screenshot under. The consumer is prompted to obtain a file that’s made to resemble the positioning the consumer was redirected from. This may, for instance, be a recreation hack app, an grownup content material app, a free video streaming app or related. 

Redirect touchdown web page with dynamic identify seen within the prime proper nook

Examples of various names for a similar SMSFactory app

As soon as the consumer clicks on Obtain, the malicious app is downloaded. Because it comes from a 3rd get together supply, the web site prompts the consumer to disregard Android’s inbuilt Play Defend warning and go forward with the set up.

Screenshots displaying how SMSFactory prompts the consumer to disable/ignore Play Defend in an effort to set up the malware

As soon as put in, the consumer is met with a welcome display. Clicking settle for will activate the app’s malicious conduct. The app then presents the consumer with a primary menu of movies, grownup content material and video games that don’t work or aren’t accessible more often than not. 

Instance of an SMSFactory app upon set up

Prepared or not, right here come the costs!

SMSFactory makes use of a number of tips to remain on the sufferer’s gadget and stay undetected. It has a clean icon and it is ready to cover its presence from the consumer by eradicating its app icon from the house display. Moreover, it comes with no software identify, making it harder for the consumer to find the offending software and take away it. It’s evident the malware depends on the consumer forgetting the app on their telephone.

A clean icon and lack of app identify are used to disguise the apps

As soon as hidden, the malware communicates with a pre-set area. It sends a singular ID allotted to the gadget, its location, telephone quantity, operator data, and mannequin of the telephone. If the actors behind this marketing campaign deem the sufferer’s gadget usable, the area sends again directions to the gadget. This may both be a listing of telephone numbers to which the malware will ship premium SMS or a particular quantity which the appliance will try to name.

Each will lead to extreme expenses for the sufferer. The precise quantity relies on the command despatched by the actors behind SMSFactory — in our testing, we’ve seen a every day $1 cost by means of ten SMS messages despatched, which may rack as much as $28 per 30 days. Assuming the victims don’t discover or neglect the app is put in, this might lead to an extortionate telephone invoice.

A portion of the permissions utilized by SMSFactory: SMS/MMS permissions in addition to CALL_PHONE are used to siphon cash away from victims by sending messages and making calls to premium price numbers

Because of the nature of the malware, the consumer could also be unaware of the monetary injury till they obtain their telephone invoice. SMSFactory may accrue vital expenses within the meantime and it could be troublesome for the consumer to determine the offender as a result of app hiding itself.

Totally different Manufacturing facility variations

SMSFactory additionally seems to have a number of totally different variations with added options, which have appeared alongside this latest marketing campaign. One such variation might create a brand new admin account on the Android gadget, making it doubtlessly troublesome to take away. One other variant copies the contact listing of the sufferer and extracts it, seemingly for use for additional unfold of the malware. Some variations redirect customers to websites in an effort to get them to put in one other SMSFactory app onto their gadget. 

Just a few SMSFactory samples include a brief ‘Circumstances’ web page

There are visible variations between these variations of SMSFactory as nicely. Older variations that posed as recreation hacks had an icon, whereas the newer variations eliminated the icon and app identify altogether. The phrases and situations within the screenshot above, mentioning the background premium SMS/calls, are solely current in a single model of the malware I discovered, different variations don’t embrace this data in any respect.

What makes SMSFactory distinctive

In distinction to latest TrojanSMS campaigns similar to UltimaSMS or Grifthorse, the vector for spreading SMSFactory varies considerably. Its stealth options similar to lack of app icon and identify wouldn’t be allowed on the Google Play Retailer, therefore the unhealthy actors have resorted to a fairly intricate community of web sites for supply and subsequent communication with the malware. 

One other departure is the intro display that doesn’t require the entry of a telephone quantity to provoke the malware’s features, opposite to earlier premium SMS malware. The place earlier TrojanSMS campaigns subscribe the sufferer to premium providers, SMSFactory merely sends a collection of SMS to premium numbers to extract cash.

Affected customers 

Regardless of its lack of presence on the Play Retailer, in keeping with our information, we have now protected over 165,000 Avast customers from the malware within the final 12 months alone. As evidenced by the excessive variety of impacted customers coupled with new variations not too long ago surfacing, it’s truthful to say that SMSFactory is an energetic malware and more likely to proceed its unfold.

Map displaying variety of Avast customers shielded from SMSFactory within the final 12 months
(Might 2021 – Might 2022)

As might be seen within the map above, the areas during which we protected essentially the most Avast customers from SMSFactory inside the final 12 months are situated in Russia, Brazil, Argentina, Turkey, and Ukraine. It seems that SMSFactory isn’t concentrating on a particular area or nation, its goal is to unfold to as many units as attainable.

Recommendations on tips on how to keep away from cellular malware like SMSFactory

• Persist with official app shops. SMSFactory highlights the significance of utilizing verified app shops to put in purposes. Third get together shops or unknown sources might include malware and aren’t blocked by an authority, similar to Google.

• Set up an antivirus in your cellular gadget. That is particularly necessary if you wish to set up apps from unofficial sources. You can even be shielded from malicious web sites this fashion. Antivirus acts as a security internet, defending even essentially the most cautious customers.

• Stay vigilant. It is necessary to stay cautious when downloading new apps, particularly apps marketed briefly and catchy movies, or by means of push notifications within the browser. 
• Disable or restrict premium SMS together with your provider. Whereas there are reputable makes use of for premium SMS, latest SMS malware campaigns spotlight the significance of management over potential expenses on a consumer’s telephone contract. Disabling premium SMS options or no less than setting a restrict considerably negates the potential impression of TrojanSMS campaigns. This step is very necessary on kids’s telephones.

Need to know extra? Discover the listing of SMSFactory IOCs.