The scheme leverages ill-intentioned advertising (malvertising) displayed on adult content and game hack websites to lure targets into downloading a trojan virus masquerading as a legitimate mobile app, Avast Software s.r.o Threat Operations Analyst Jakub Vávra revealed in a blog post last week. The fraudulent app silently hijacks users’ smartphone processes and calls premium-rate numbers. Other variants of the malware can extract users’ contact lists to spread further while being difficult to uninstall. In this case, SMSFactory primarily targeted users in Russia, Turkey, Argentina, Brazil, and Ukraine.
How SMSFactory Gets Onto Android Devices
SMSFactory targets unprotected Android users visiting free video streaming sites, torrenting platforms, and adult-oriented sites. Victims who mistakenly download the SMSFactory APK (Android Package Kit) malware via malicious ads are met with a window prompting them to “ignore Android’s inbuilt Play Protect Warning and go ahead with the installation.” The user is then prompted to click “accept” via a welcome screen which allows SMSFactory to hijack the device. The app itself practically contains no real content. Meanwhile, SMSFactory will not appear on a device’s home screen as usual but can be seen in the “Apps” list as a nameless app with a blank icon. “It is evident the malware relies on the user forgetting the app on their phone,” Vávra said.
SMSFactory Quietly Siphons Funds From Victims
Once installed, the malware communicates with a pre-set hacker domain where information about the device is sent. Bad actors then decide whether to hijack the device or not. If so, a list of phone numbers will be sent back to the malware “which will send premium SMS or a specific number,” for the app to call. The app unlocks SMS/MMS permissions along with a malicious “CALL_PHONE” instruction. “Both will result in excessive charges for the victim” when the conversion scheme begins, while hackers can also adjust how much to extort the victim, Vávra added. “Due to the nature of the malware, the user may be unaware of the financial damage until they receive their phone bill,” Vávra said. According to Vávra’s research, Avast antivirus has protected more than 165,000 users over the past year — May 2021 to May 2022 — from SMSFactory. The research found that the highest concentration of users protected from the malware campaign is in countries such as Russia, Brazil, Argentina, Ukraine, and Turkey. However, instances of the campaign have also been detected in the U.S., France, and Spain, among others.
SMSFactory Comes in Various Forms
Vávra, who monitors malware and adware campaigns on the Google Play store, said that the SMSFactory malware campaign includes not one, but several different variants of SMSFactory “with added features,” that have surfaced alongside the original campaign. One of the variants creates a new administrator account on an Android device, making it more difficult to remove, while another version is designed to siphon a user’s contact list and infect as many people as possible. Yet another version of SMSFactory redirects users to websites to install various SMSFactory apps on their devices. The different apps are not consistent with each other, in that some of them still include the name and icon, while others include a short “terms and conditions,” section, Vávra added. Vávra added that SMSFactory is still different from other premium SMS TrojanSMS campaigns that he discovered such as UltimateSMS, or Grifthorse which was discovered by mobile security company Zimperium because, curiously, hackers avoided the Google Play Store this time with blank versions of their app. This had them resort to interesting alternative methods of malware delivery. Secondly, SMSFactory distinguishes itself from others in that it “doesn’t require the entry of a phone number,” to initiate its functions and instead “sends a series of SMS to premium numbers to extract money,” Vávra said.
How to Protect Yourself From SMSFactory Malware
A high number of affected users coupled with the fact that new SMSFactory versions are being born as we speak makes it safe to say that SMSFactory “is an active malware and likely to continue its spread,” Vávra said. With a host of SMS-based malware cybercrime out there like Medusa, Roaming Mantis, and TangleBot, you must protect yourself and your finances. Future trends will possibly see a move away from antiquated and vulnerable SMS communications. In the meantime, to address dangerous mobile malware like SMSFactory, Avast recommends users only download software from official app stores, use an antivirus on their mobile devices, avoid clicking on ads and links on questionable websites and disable or limit any premium SMS features with their mobile carrier. “This step is especially important on children’s phones,” Vávra said. If you are an Android device user, you can peruse our ultimate guide to Android malware removal. Also, make sure to check out our list of top antivirus programs for 2022.