Posted on February 21, 2022 at 6:58 PM

Infected Android Devices Now Used By Hackers To Register Disposable Accounts

A recent analysis of SMS phone-verified account (PVA) services has discovered that threat actors are exploiting infected android devices to register disposable accounts. This has, once again, shown the dangers of relying only on SMS for account validation.

The SMS PVA services provide alternative mobile numbers to users who want to register at online platforms and other services without using their primary phone numbers. The service became well known in 2018. It has also been used to bypass single sign-on (SSO) systems and SMS-based authentication used in verifying new accounts.

According to Trend Micro researchers, the service can be utilized by threat actors to create phone-verified accounts or register disposable accounts in bulk to carry out the fraudulent act and other criminal activities. The researchers have warned users and organizations that it’s no longer safe to rely solely on SMS-based systems when conducting account validation, as cybercriminals are capable of hijacking this process.

The security firm gathered telemetry data that indicated the locations of the majority of the affected users. According to the researchers, 2,779 systems were affected in Malaysia, 2,920 in Ukraine, 4,213 in South Africa, and 4,915 in Peru. But the major impacted regions are France (5,548), Thailand (11,196), Russia (16,157), and Indonesia with 47,357 infections.

The researchers also noted that the majority of the affected devices are low-cost android phones assembled by their original manufacturers. These companies include HTC, Meizu, Oppo, Huawei, Mione, Lava, and ZRE.

The Infection Occurred In Two Ways

The security firm said a particular service, called smspva[.]net, infected Android phones with SMS-based malware. The firm stated that the attack could have occurred either in two ways. It could have occurred through malicious software preloaded into the device or via malware accidentally downloaded by the user.

The first method implies a supply-chain attack method, which has increasingly become a popular attack method deployed by threat actors in recent months.

Also, darknet VPA services regularly advertise “bulk virtual phone numbers” for hackers, so it will not be difficult for the threat actors to get a hold of these fake phone numbers. These platforms claim to have thousands of phone numbers that span across 100 countries, giving the hackers a lot of options when choosing the geographical region they want to launch their attacks.

For its part, the Guerrilla malware is designed to parse SMS messages delivered to impacted Android phones. It also looks into different search patterns delivered from a remote server before exfiltrating the messages with the same expressions to the control server.

The Malware Can Stay Hidden For A Long Time

Another problem that the researchers have noticed about the Guerrilla malware is its design to stay hidden while carrying out its activities.

The malware always remains low-profile and retrieves only the text messages that contain the requested application. This keeps the malware hidden for a long time while it continues its activities, according to the researchers. But the user can discover the problem if the SMS PVA service enables all its customers to have access to all messages on the infected devices.

With online portals often authenticating new accounts by cross-checking the location (i.e., IP address) of the users against their phone numbers during registration, SMS PVA services get around this restriction by making use of residential proxies and VPNs to connect to the desired platform.

The Malware Provides Easy Access To Thousands Of Mobile Phones

Additionally, the services are designed in a way that the one-time confirmation code is sent once during the account registration. It gives the malware operator the ability to retrieve, examine, and report the SMS verification codes on the compromised devices without the knowledge of the user. This means that the owner of the infected devices may be using the phone and going on with their normal activities without detecting any issues for a long time.

The malware provides easy access to thousands of mobile phones in different countries, which enables the hackers to register new accounts in large numbers. Once the accounts are registered, they can be used for different types of scams, including phishing attacks and participation in coordinated inauthentic user behavior.

This latest development is creating another setback for the use of SMS verification as the main means of account verification. And the emergence of SMS PVA services and the high rate at which they supply mobile numbers will cause a lot of issues to ensure validity, the researchers said.