|
Premium Short Message Service (SMS) abuse is no longer new. But it’s pretty rare for such threats to rack up hundreds of dollars in additional phone bill costs for every victim each year.
Somehow, the threat actors behind the SMSFactory Android Trojan managed to do that. Avast reported that as many as 165,000 users worldwide have lost as much as US$336 a year to the perpetrators. What else should you know about the threat?
Our investigation uncovered additional artifacts and findings, including:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
A publicly available report by AlienVault provided us three domains—mobilelinks[.]xyz, relario[.]xyz, and krinterro[.]com—named as indicators of compromise (IoCs) that served as jump-off points for our deep dive into the threat.
We also know that the SMSFactory Android Trojan has affected users in countries including Russia, Brazil, Argentina, Turkey, Ukraine, the U.S., France, and Spain. Apart from earning from charges for premium SMS, the malware also racks up phone bills with premium-rate calls. And at the rate the campaign is going, the attackers stand to gain as much as US$55.44 million annually.
Only one of the domain IoCs—mobilelinks[.]xyz—was relatively aged, around 2 years old at the time the campaign was uncovered. The two remaining IoCs—relario[.]xyz and krinterro[.]com—were relatively new, around 3 months old at the time of discovery. All their current WHOIS records were redacted.
Screenshot lookups for the domain IoCs showed they didn’t host live content. Two of them—mobilelinks[.]xyz and relario[.]xyz—seem to be under construction, while krinterro[.]com led to an error page.
Subjecting the domain IoCs to DNS lookups showed they resolved to three unique IP addresses—159[.]65[.]198[.]99, 159[.]223[.]228[.]223, and 94[.]24[.]114[.]44. Reverse IP lookups for these IP resolutions led to the discovery of 181 possibly connected domains, given that the IP addresses seem to be dedicated.
Three of the additional domains—bg[.]game-store[.]mobi, gr[.]scout-apps[.]com, and mubulomokijo[.]xyz—were dubbed “malicious” by various malware engines, according to our bulk Threat Intelligence Platform (TIP) malware check results. Here are screenshots of their live content.
Entering your credentials to bg[.]game-store[.]mobi could give cybercriminals access to your gaming account. Downloading games from gr[.]scout-apps[.]com or visiting mubulomokijo[.]xyz, meanwhile, may lead to malware infections.
Interestingly, 76 of the 181 possibly connected domains hosted the same content as the malicious properties we uncovered. Their domain names, however, weren’t limited to gaming but also dating and other apps. They may belong to the same people and could be lying in wait to get weaponized.
Given the importance of the financial toll SMSFactory Android Trojan can take on users, we used Domains & Subdomains Discovery to uncover other suspicious domains. Using the strings “sms.” and “phone.” as search terms gave us an additional 1,196 domains, four of which—sms[.]ceo, sms[.]beauty, sms[.]earth, and phone[.]live—are already considered malicious.
Three of the malicious domains are unreachable, which could mean they’ve already been taken down. One—phone[.]live—however, continues to be live, hosting what seems to be a website under development.
Users the world over should avoid accessing the IoCs and additional artifacts uncovered through our in-depth analysis if they wish to avoid the repercussions of SMSFactory Android Trojan infection. Monitoring the artifacts, both old and new, may also be worthwhile for organizations.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix