In an increasingly mobile and connected world, one-time passwords for about a decade have become a popular way for organizations – from financial institutions and retailers to similar businesses – to add another of security to online transactions and accounts.

As their use has grown, OTPs – which a business sends via an SMS text message to a customer to confirm a transaction – have become a popular target of hackers, who can bypass multifactor authentication (MFA) tools and gain control of a victim’s account or steal their identity if they’re able to intercept the message.

Researchers with mobile security provider Zimperium’s zLabs threat intelligence unit uncovered a massive and sophisticated operation that uses malware dubbed “SMS Stealer” to intercept SMS messages from Android devices and steal OTPs.

In all, the researchers found more than 107,000 malware samples linked to more than 600 global brands. The bad actors behind SMS Stealer use fake ads and more than 2,600 automated Telegram bots that mimic legitimate businesses to trick targets into loading a malicious app onto their device. More than 95% were unknown and unavailable malware samples.

Once installed, the app requests permission to read SMS messages, with the researchers writing in a report that this is a “high-risk permission on Android that grants extensive access to sensitive personal data. … This particular app’s request is intended to exfiltrate the victim’s private text message communications.”

If permission is granted, the malware connects to one of 13 command-and-control (C2) servers and starts transmitting the messages, including those with OTPs.

“The final phase transforms the victim’s device into a silent interceptor,” they wrote. “The malware remains hidden, constantly monitoring new incoming SMS messages. Its primary target is OTPs used for online account verification.”

At Least Two Years in Operation

The operation was first detected in 2022. The researchers called the scale of the malware campaign “staggering.” Along with the number of samples – of which more than 99,000 were or still are unknown and unavailable in repositories – more than 60 of the 600 targeted brands were from global organizations. Some of the brands had hundreds of millions of users. The campaign also stretched over 113 countries, with Russia (17.5% of the attacks) and India (23.8%) bearing the brunt of the threat.

By contrast, the United States saw 4%.

“These numbers paint a concerning picture of a large-scale and sophisticated operation behind this malware campaign,” the researchers wrote. “The campaign’s ability to evade detection by many [antivirus] solutions emphasizes the need for a multi-layered approach to mobile security. … With a vast array of malware samples discovered by our research team and the multiple infection vectors, you can see the threat landscape is complex and constantly evolving.”

The hackers accepted a number of different payment methods, including cryptocurrency, like Bitcoin.

Account Takeovers, Ransomware

They can use the stolen OTPs to steal login credentials – which can lead to account takeovers – infiltrate additional malware to ramp up the severity of the attack, launch ransomware attacks, and steal money through unauthorized charges and fraudulent accounts.

They also can create fake accounts on popular services and launch phishing campaigns or social engineering attacks, the researchers wrote.

Jason Soroko, senior vice president of product at certificate lifecycle management company Sectigo, said the number of bots and C2 servers – along with the almost 4,000 samples that included pre-embedded phone numbers – “underscores the complexity and scale of this operation. We have seen SMS redirection malware in the past, however, the ability of SMS Stealer to intercept OTPs, facilitate credential theft, and enable further malware infiltration, poses severe risks.”

Ken Dunham, cyberthreat director at security firm Qualys’ threat research unit, noted the increased targeting of mobile devices.

“Subversion of mobile phones is of increasing interest to bad actors seeking to subvert weakly defended one-time password accounts and other sensitive information that can be compromised via SMS malware,” Dunham said. “Text messages increasingly contain a wealth of sensitive information that can be used for secure authentication as well as extortion of a victim. SMS malware, when combined with other identity access broker data, becomes a toxic cocktail for victims targeted by sophisticated adversaries.”