Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Massive Android Mobile Botnet Hijacking SMS Data

A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China.

A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China.

Researchers at FireEye lifted the curtain off the threat today, describing MisoSMS as “one of the largest advanced mobile botnets to date” and warning that it is being used in more than 60 spyware campaigns.

FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages.

 Vinay Pidathala tals about Android Botnets

Related Podcast: FireEye security researcher Vinay Pidathal talks about the MisoSMS botnet and the state of security on the Android ecosystem.

Listen Now

FireEye’s research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts.

FireEye security content researcher Vinay Pidathala said MisoSMS infects Android systems by deploying a malicious Android app called “Google Vx” that masquerades as an Android settings app used for administrative tasks. 

The app uses a bit of trickery to install and hide itself from the user.  Once it’s installed, the app secretly steals the user’s personal SMS messages and emails them to a webmail command-and-control.

Advertisement. Scroll to continue reading.

Pidathala explains the SMS exfiltration method:

This application exfiltrates the SMS messages in a unique way. Some SMS-stealing malware sends the contents of users SMS messages by forwarding the messages over SMS to phone numbers under the attacker’s control. Others send the stolen SMS messages to a CnC server over TCP connections. This malicious app, by contrast, sends the stolen SMS messages to the attacker’s email address over an SMTP connection.  

Pidathala said all of the reported malicious e-mail accounts have been deactivated as part of a mitigation strategy with law enforcement and security response officials in Korea and China.

Related Podcast:

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.