Home / Industry

Careful, the Next Premium SMS Offer You Subscribe to May Be Malicious

Premium Short Message Service (SMS) abuse is no longer new. But it’s pretty rare for such threats to rack up hundreds of dollars in additional phone bill costs for every victim each year.

Somehow, the threat actors behind the SMSFactory Android Trojan managed to do that. Avast reported that as many as 165,000 users worldwide have lost as much as US$336 a year to the perpetrators. What else should you know about the threat?

Our investigation uncovered additional artifacts and findings, including:

  • Two of the domain IoCs were newly registered domains (NRDs), which could mean they were specifically created for the malicious campaign.
  • The domain IoCs resolved to three unique seemingly dedicated IP addresses.
  • Close to 200 domains shared the IoCs’ IP addresses, three of which have been dubbed “malicious.”
  • Almost half of the possibly connected domains hosted the same content as the three malicious web properties identified.
  • Nearly 1,200 domains shared common strings with the IoCs, four of which are already considered malicious.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know about the SMSFactory Android Trojan So Far

A publicly available report by AlienVault provided us three domains—mobilelinks[.]xyz, relario[.]xyz, and krinterro[.]com—named as indicators of compromise (IoCs) that served as jump-off points for our deep dive into the threat.

We also know that the SMSFactory Android Trojan has affected users in countries including Russia, Brazil, Argentina, Turkey, Ukraine, the U.S., France, and Spain. Apart from earning from charges for premium SMS, the malware also racks up phone bills with premium-rate calls. And at the rate the campaign is going, the attackers stand to gain as much as US$55.44 million annually.

What Our Deep Dive Revealed

Only one of the domain IoCs—mobilelinks[.]xyz—was relatively aged, around 2 years old at the time the campaign was uncovered. The two remaining IoCs—relario[.]xyz and krinterro[.]com—were relatively new, around 3 months old at the time of discovery. All their current WHOIS records were redacted.

Screenshot lookups for the domain IoCs showed they didn’t host live content. Two of them—mobilelinks[.]xyz and relario[.]xyz—seem to be under construction, while krinterro[.]com led to an error page.

Subjecting the domain IoCs to DNS lookups showed they resolved to three unique IP addresses—159[.]65[.]198[.]99, 159[.]223[.]228[.]223, and 94[.]24[.]114[.]44. Reverse IP lookups for these IP resolutions led to the discovery of 181 possibly connected domains, given that the IP addresses seem to be dedicated.

Three of the additional domains—bg[.]game-store[.]mobi, gr[.]scout-apps[.]com, and mubulomokijo[.]xyz—were dubbed “malicious” by various malware engines, according to our bulk Threat Intelligence Platform (TIP) malware check results. Here are screenshots of their live content.

Entering your credentials to bg[.]game-store[.]mobi could give cybercriminals access to your gaming account. Downloading games from gr[.]scout-apps[.]com or visiting mubulomokijo[.]xyz, meanwhile, may lead to malware infections.

Interestingly, 76 of the 181 possibly connected domains hosted the same content as the malicious properties we uncovered. Their domain names, however, weren’t limited to gaming but also dating and other apps. They may belong to the same people and could be lying in wait to get weaponized.

Given the importance of the financial toll SMSFactory Android Trojan can take on users, we used Domains & Subdomains Discovery to uncover other suspicious domains. Using the strings “sms.” and “phone.” as search terms gave us an additional 1,196 domains, four of which—sms[.]ceo, sms[.]beauty, sms[.]earth, and phone[.]live—are already considered malicious.

Three of the malicious domains are unreachable, which could mean they’ve already been taken down. One—phone[.]live—however, continues to be live, hosting what seems to be a website under development.

What Users Can Do

Users the world over should avoid accessing the IoCs and additional artifacts uncovered through our in-depth analysis if they wish to avoid the repercussions of SMSFactory Android Trojan infection. Monitoring the artifacts, both old and new, may also be worthwhile for organizations.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign


Sponsored byVerisign