Last Updated on 21/02/2022 by Nidhi Khandelwal
The discovery of a rogue platform built atop a botnet involving thousands of infected Android phones came as a result of an investigation of SMS phone-verified account (PVA) services, highlighting the difficulties with depending on SMS for account validation once again.
Since gaining popularity in 2018, SMS PVA services have provided users with alternate cell phone numbers that may be used to register for various online services and platforms, as well as bypassing SMS-based authentication and single sign-on (SSO) processes required to validate new accounts.
The majority of the devices impacted are low-cost Android phones built by original equipment manufacturers like Lava, ZTE, Mione, Meizu, Huawei, Oppo, and HTC.
One service, dubbed smspva[.]net, consists of Android phones infected with SMS-intercepting malware, which the researchers believe could have occurred in one of two ways: either through malware downloaded accidentally by the user or malicious software preloaded into the devices during manufacturing, implying a supply-chain compromise.
VPA is an underground service that claims to have phone numbers in over 100 countries and provides “bulk virtual phone numbers” for usage on different platforms via an API.
The Guerrilla virus (“plug.dex”), for its part, is designed to parse SMS messages received on an infected Android phone, compare them to specified search patterns sent from a remote server, and then exfiltrate texts matching those expressions back to the server.