Jakub Vavra, Threat Operations Analyst, Avast
Avast has been tracking a wide-spread malware campaign consisting of TrojanSMS malware, which we are calling SMSFactory. SMSFactory sneakily siphons money from victims around the world, by sending premium SMS and making calls to premium-rate phone numbers. These numbers appear to be part of a conversion scheme, where the SMS includes an account number, identifying who should receive the money for the messages sent. Undetected, it can rack up a high phone bill, up to $7 per week or $336 per year, leaving an unpleasant surprise for victims. One version we found is also capable of extracting victims’ contact lists, likely to spread the malware further.
We have dubbed the malware SMSFactory due to its functions, as well as class names in its code, one of which is called SMSFactory.
According to my research, the malware is spreading through malvertising, push notifications and alerts displayed on sites offering game hacks, adult content, or free video streaming sites, serving the malware disguised as an app in which users can access gaming, videos or adult content. Once installed, the malware hides itself, making it nearly impossible for victims to detect what is causing the charges on their phone bills.
Silently sending $ignals
The bad actors behind SMSFactory rely on malvertising to drive their campaign. Malvertising refers to the misuse of adverts to redirect users to sites with malware payloads, and can often appear on websites providing free streaming of films and TV shows, adult content, or torrent aggregators, but may occasionally appear on mainstream sites as well.
The redirect in this case leads to a website such as the one in the screenshot below. The user is prompted to download a file that is made to resemble the site the user was redirected from. This can, for example, be a game hack app, an adult content app, a free video streaming app or similar.
Example: Redirect landing page with dynamic name visible in the top right corner
Once the user clicks on Download, the malicious app is downloaded. As it comes from a third party source, the website prompts the user to ignore Android’s inbuilt Play Protect warning and go ahead with the installation.
Screenshots showing how SMSFactory prompts the user to disable/ignore Play Protect in order to install the malware
Once installed, the user is met with a welcome screen. Clicking accept will activate the app’s malicious behaviour. The app then presents the user with a basic menu of videos, adult content and games that don’t work or aren’t available most of the time.
Example of an SMSFactory app upon installation
Ready or not, here come the charges!
SMSFactory uses several tricks to stay on the victim’s device and remain undetected. It has a blank icon and it is able to hide its presence from the user by removing its app icon from the home screen. Additionally it comes with no application name, making it more difficult for the user to discover the offending application and remove it. It is evident the malware relies on the user forgetting the app on their phone.
Blank icon and no app name are used to disguise the apps
Once hidden, the malware communicates with a pre-set domain. It sends a unique ID allocated to the device, its location, phone number, operator information and model of the phone. If the actors behind this campaign deem the victim’s device usable, the domain sends back instructions to the device. This will either be a list of phone numbers to which the malware will send premium SMS or a specific number which the application will attempt to call. Both will result in excessive charges for the victim. The exact amount depends on the command sent by the actors behind SMSFactory, in our testing we’ve seen a daily $1 charge through 10 SMS messages sent, which can rack up to $28 per month. Assuming the victims don’t notice or forget the app is installed, this could result in an extortionate phone bill.
Due to the nature of the malware, the user may be unaware of the financial damage until they receive their phone bill. SMSFactory could accrue significant charges in the meantime and it may be difficult for the user to identify the culprit due to the app hiding itself.
What makes SMSFactory Unique
In contrast to recent TrojanSMS campaigns such as UltimaSMS or Grifthorse, the vector for spreading SMSFactory varies significantly. Its stealth features such as lack of app icon and name wouldn’t be allowed on the Google Play Store, hence the bad actors have resorted to a reasonably intricate network of sites for delivery and subsequent communication with the malware.
Another departure is the intro screen that doesn’t require the entry of a phone number to initiate the malware’s functions, contrary to previous premium SMS malwares. Where previous TrojanSMS campaigns subscribe the victim to premium services, SMSFactory simply sends SMS to premium numbers to extract money.
Affected users
Despite its lack of presence on the Play Store, according to our data, we have protected over 165,000 Avast users from the malware in the last year alone. As evidenced by the high number of impacted users coupled with new versions recently surfacing, it is fair to say that SMSFactory is an active malware and likely to continue its spread.
Tips on how to avoid mobile malware, like SMSFactory
To explore the list of SMSFactory IOCs, click here.