Numerous Android devices around the world, especially those in India, Russia, Brazil, Mexico, and the U.S., have been compromised as part of a massive SMS and one-time password stealer campaign, according to BleepingComputer.
Malicious Android APKs with the stealer malware have been spread not only via malvertising but also through 2,600 Telegram bots that seek targets' phone numbers in exchange for the APK file, with the malware exfiltrating SMS messages to a 'fastsms[.]su' API endpoint, a report from Zimperium researchers showed. With the Fast SMS website enabling virtual phone number access, attackers could then use requested Android SMS access permissions to allow the capturing of OTPs from more than 600 services. Aside from prompting unauthorized mobile account charges, such a compromise could also implicate victims in illicit activities involving their phone numbers, according to researchers, who urged against APK downloads outside the Google Play Store, as well as the granting of excessive app permissions while recommending Play Protect activation.