Trend Micro researchers reported that ,”Malicious actors can use this type of service to register disposable accounts in bulk or create phone-verified accounts for conducting fraud and other criminal activities”. In the last two years, there has been an increase in short message service (SMS) phone-verified account (PVA) services. SMS PVA services provide customers with alternative mobile numbers to use when registering for online services and platforms.

These services prevent the SMS verification mechanisms commonly used by online platforms and services to authenticate new accounts. Malicious actors can create phone-verified accounts or register disposable accounts in bulk for criminal purposes.

The majority of the infections (47,357) are found in Indonesia, followed by Russia (16,157), Thailand (11,196), India (8,109), and France (5,548), Peru (4,915), Morocco (4,822), South Africa (4,413), Ukraine (2,920), and Malaysia (2,779). The majority of the devices affected are assembled by original equipment manufacturers such as Lava, ZTE, Mione, Meizu, Huawei, Oppo, and HTC.

One service, dubbed smspva[.]net, is made up of Android phones infected with SMS-intercepting malware, which the researchers believe could have happened in one of two ways: through malware downloaded accidentally by users or malicious software preloaded into the devices during manufacturing, implying a supply-chain compromise.

“Because of the scale at which SMS PVA is able to supply mobile numbers, the usual methods of ensuring validity such as blocking mobile numbers previously associated with account abuse or identifying numbers belonging to VoIP services or SMS gateways will not suffice.”

With online portals frequently authenticating new accounts by cross-checking the users’ location (i.e., IP address) against their phone numbers during registration, SMS PVA services circumvent this restriction by connecting to the desired platform through  residential proxies and VPNs.

Finally the researchers concluded that ,” these services only sell the one-time confirmation codes required during account registration, with the botnet operator employing an army of compromised devices to receive, examine and report the SMS verification codes without the owners’ knowledge or consent”.

Indicators of Compromise

Dex SHA 1Detection
24b24990937b4265e276db8271b309c05e1d374bAndroidOS_Guerrilla.HRXD
6a65e2a484f49e82a0cea5a1c2d5706314f0064aAndroidOS_Guerrilla.HRXD
e83ec56dfb094fb87b57b67449d23a18208d3091AndroidOS_Guerrilla.HRXD

Domains:

  • Smspva[.]net
  • Enjoynut[.]cn
  • Sublemontree[.]com
  • Lemon91[.]com
  • Lemon91[.]top

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Published by shamili0508

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s