Attackers have increasingly started using Telegram as a control server (C2)¹. In a new study, Positive Technologies detected over a thousand Telegram bots of Indonesian origin being used as C2 servers for SMS stealers. The likely goal of the attackers is to steal money and personal data from users.

The lion's share of all malware analyzed by the researchers consists of two types of stealers: SMS Webpro and NotifySmsStealer. As experts have pointed out, cybercriminals don't write malware from scratch; they use a template. The structure of the classes, their names, and the stealer code are identical, the only differences being the C2 servers within the samples and the format or wording for sending messages to Telegram. From a functionality standpoint, the second type of malware differs from the first by its ability to steal information not only from messages, but from notifications too.

Everyday users are the main targets of these cyberattacks. Victims received phishing messages with an APK file attachment and downloaded it without checking the file extension. As a result, an SMS stealer was installed on their phones, allowing cybercriminals to intercept one-time codes for accessing services. With a one-time password from a bank account, they were able to drain the victims' funds.

"While investigating bots on Telegram, we uncovered numerous Indonesian-origin chats emerging daily: what caught our attention was the staggering number of messages and victims. We discovered SMS stealers linked to these chats, with the infection chain often starting with phishing on WhatsApp. As bait, the attackers mostly used wedding invitations, banking and other services and documents," said Denis Kuvshinov, Head of Threat Analysis at Positive Technologies.

According to the experts, the majority of victims (judging by the countries from which the malware samples were downloaded) are Indonesian nationals. The number of alleged victims in Indonesia is in the thousands. In India and Singapore, the number of malware downloads has risen to several dozen. In India and Bangladesh, unique types of stealers are used. In Russia, Belarus, and Malaysia, isolated attack incidents have been reported.

To protect yourself from stealers, experts recommend that you do the following:

• Check the extensions of any files that you receive.
• Never download apps from links in messages sent from unknown numbers, even if the sender claims to be a bank employee.
• When downloading an app from Google Play, make sure that the name of the app is correct by cross-checking it with official sources.
• Do not download or install apps that require permissions that are suspicious.

1. C2 is the command-and-control server where the management software usually resides. It enables an attacker to remotely control the victim's device, access confidential information, and launch other attacks.