Over the past few months, researchers at FireEye have observed several smishing campaigns whose goal was to deliver Android malware to users in Europe.
Between February and June 2016, the security firm spotted five smishing, or SMS phishing, operations targeting people in Denmark, Italy, Germany, Austria and possibly some other European countries.
Researchers have identified a total of 55 malicious binaries used in these campaigns. The attackers set up command and control (C&C) servers, uploaded the Android malware to hosting websites, and then sent out links in SMS messages in an effort to trick recipients into installing the malware on their devices.
Once it infects a device, the malware monitors it to see what apps are executed by the victim. If one of the targeted applications is launched, the threat overlays a phishing page on top of it to get the user to hand over their information, which is then sent to the C&C servers.
While mobile banking applications appear to be the main target, researchers also analyzed operations where the cybercrooks were after information associated with messaging and other apps. The attacks were aimed at users of the MobilePay app offered by Denmark’s Danske Bank, WhatsApp, Google Play, Ubercab, YouTube and WeChat. In two of the campaigns, the malicious apps were disguised as the official post office applications used in Austria and Denmark.
While the pieces of malware deployed in these campaigns have the same general functionality, experts noticed that the threat actors started improving their creations, adding more obfuscation and bypassing Android security features.
Attackers have leveraged several URL shortening services in an effort to evade detection. The use of such services has allowed experts to determine how many devices could be infected. FireEye said the 30 shortened URLs used by the cybercriminals to redirect victims to malware had been clicked more than 160,000 times – most of the clicks were from the first few days after the link was created.
In addition to URL shorteners, the attackers also used domains they registered themselves and compromised websites to deliver the malware. The self-registered domains were given names similar to the app that was used as bait. Since registering many domains can be costly, the phishers often also leveraged compromised sites to host their malware.
Related: “Marcher” Banking Trojan Targets Over 60 Organizations
Related: Upgraded Android Banking Trojan Targets Users in 200 Countries
Related: Banking Trojans Abuse API to Evade Android Security