An analysis of SMS phone-verified account (PVA) services has led
to the discovery of a rogue platform built atop a botnet involving
thousands of infected Android phones, once again underscoring the
flaws with relying on SMS for account validation.
SMS PVA services, since gain prevalence in 2018, provide users
with alternative mobile numbers that can be used to register for
other online services and platforms, and help bypass SMS-based
authentication and single sign-on (SSO) mechanisms put in place to
verify new accounts.
“This type of service can be used by malicious actors to
register disposable accounts in bulk or create phone-verified
accounts for conducting fraud and other criminal activities,” Trend
Micro researchers said[1]
in a report published last week.
Telemetry data gathered by the company shows that most of the
infections are located in Indonesia (47,357), followed by Russia
(16,157), Thailand (11,196), India (8,109), and France (5,548),
Peru (4,915), Morocco (4,822), South Africa (4,413), Ukraine
(2,920), and Malaysia (2,779).
A majority of affected devices are budget Android phones
assembled by original equipment manufacturers such as Lava, ZTE,
Mione, Meizu, Huawei, Oppo, and HTC.
One particular service, dubbed smspva[.]net, comprises of
Android phones infected with SMS-intercepting malware, which the
researchers suspect could have happened in either of two ways:
through malware downloaded accidentally by the user or through
malicious software preloaded into the devices during manufacturing,
implying a supply-chain compromise.
The underground VPA service advertises “bulk virtual phone
numbers” for use on various platforms via an API, in addition to
claiming to be in possession of phone numbers spanning across more
than 100 countries.
The Guerrilla malware (“plug.dex[2]“), for its part, is
engineered to parse SMS messages received on the affected Android
phone, check them against specific search patterns[3] received from a remote
server, and then exfiltrate the messages that match those
expressions back to the server.
“The malware remains low-profile, collecting only the text
messages that match the requested application so that it can
covertly continue this activity for long periods,” the researchers
said. “If the SMS PVA service allows its customers to access all
messages on the infected phones, the owners would quickly notice
the problem.”
With online portals often authenticating new accounts by
cross-checking the location (i.e., IP address) of the users against
their phone numbers during registration, SMS PVA services get
around this restriction by making use of residential proxies and
VPNs to connect to the desired platform.
What’s more, these services only sell the one-time confirmation
codes needed at the time of account registration, with the botnet
operator using the army of compromised devices to receive, examine,
and report the SMS verification codes without the owners’ knowledge
and consent.
In other words, the botnet facilitates easy access to thousands
of mobile numbers in different countries, effectively enabling the
actors to register new accounts en masse and use them for various
scams or even participate in coordinated inauthentic user
behavior.
“The presence of SMS PVA services makes another dent on the
integrity of SMS verification as the primary means of account
validation,” the researchers said.
“The scale to which SMS PVA is able to supply mobile numbers
means that the usual methods to ensure validity — such as
blocklisting mobile numbers previously tied to account abuse or
identifying numbers belonging to VoIP services or SMS gateways —
won’t be enough.”
References
Read more https://thehackernews.com/2022/02/hackers-exploit-bug-in-sms-verification.html