Full Report
New Android malware Qwizzserial has infected 100,000 devices, primarily in Uzbekistan, stealing SMS data via Telegram distribution
Analysis Summary
# Incident Report: Mass Android SMS Stealer Campaign (Qwizzserial)
## Executive Summary
A significant Android malware campaign, dubbed Qwizzserial, infected approximately 100,000 mobile devices primarily located in Uzbekistan. The malware functions as an SMS stealer, leveraging social engineering tactics via Telegram to distribute malicious APKs disguised as government financial aid applications. The primary confirmed impact mentioned is financial gain for the perpetrators, estimated at least \$62,000 over three months.
## Incident Details
- **Discovery Date:** During broader investigation into the Ajina malware family (specific discovery date not provided, but analysis occurred prior to the July 2, 2025 reporting).
- **Incident Date:** March - June 2025 (period of confirmed illicit earnings).
- **Affected Organization:** Individual Android users, primarily in Uzbekistan.
- **Sector:** Mobile Users/General Public.
- **Geography:** Uzbekistan.
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning March 2025 (implied).
- **Vector:** Social engineering via Telegram channels, utilizing sideloading of malicious APKs.
- **Details:** Cybercriminals created fake Telegram channels impersonating government agencies. They disseminated fake decrees and offered "Presidential Support" or "Financial Assistance" to trick users into downloading and installing the malware-laden APK files.
### Lateral Movement
- *Not explicitly detailed in the provided text, as the focus is on mobile endpoint compromise and data exfiltration.*
### Data Exfiltration/Impact
- **Details:** The Qwizzserial malware is designed to steal SMS messages. It is also capable of tasks like extracting contact lists, tracking location via GPS, recording audio, and accessing device storage, though SMS theft is its primary described function.
### Detection & Response
- **How it was discovered:** Identified by Group-IB researchers during a larger investigation into the Ajina malware family.
- **Response actions taken:** The information was published by researchers, signaling public disclosure and awareness efforts, although specific governmental or platform removal actions are not detailed.
## Attack Methodology
- **Initial Access:** Social engineering via Telegram, tricking users into sideloading malicious APKs disguised as legitimate financial aid applications.
- **Persistence:** *Not explicitly detailed.*
- **Privilege Escalation:** *Not explicitly detailed, likely uses standard Android permission requests associated with SMS/storage access.*
- **Defense Evasion:** *Not explicitly detailed, relies on masquerading as a trusted government application.*
- **Credential Access:** *Not explicitly detailed, though SMS theft often implies the capture of 2FA/MFA codes.*
- **Discovery:** *Capable of extracting device information, including GPS location.*
- **Lateral Movement:** *Not applicable in the context of an Android mobile infection.*
- **Collection:** SMS messages, contact lists, GPS data, audio recordings, and potentially files from device storage.
- **Exfiltration:** *Implied command-and-control infrastructure managed through Telegram bots.*
- **Impact:** Theft of sensitive information, financial fraud facilitated by SMS interception.
## Impact Assessment
- **Financial:** Perpetrators earned at least $62,000 between March and June 2025 from the campaign managed by one group.
- **Data Breach:** SMS messages, contact lists, and personal location/audio data compromised on approximately 100,000 devices.
- **Operational:** Direct operational impact appears localized to the compromised mobile devices of end-users.
- **Reputational:** Potentially damages public trust in government aid distribution channels and the legitimacy of information spread via Telegram.
## Indicators of Compromise
*Note: Specific IoCs (URLs, IPs, hashes) were not provided in the text.*
- **Network indicators:** Communication likely routed through Command and Control servers potentially managed via Telegram bots.
- **File indicators:** Malicious APKs masquerading under names like "Presidential Support" or "Financial Assistance."
- **Behavioral indicators:** Requesting excessive permissions upon installation (e.g., SMS read/write, READ\_LOGS, GPS access) and engaging in SMS harvesting activities.
## Response Actions
- **Containment measures:** Due to the nature of the attack (sideloaded apps), containment would require users to uninstall the identified applications.
- **Eradication steps:** Users must remove the malicious APKs from their Android devices.
- **Recovery actions:** Users need to change any credentials potentially compromised via intercepted SMS/2FA codes.
## Lessons Learned
- **Key takeaways:** Telegram is an effective platform for wide-scale social engineering campaigns due to its perceived anonymity and community structure. The Classiscam fraud model is adaptable to new distribution channels (moving from phishing links to direct APK distribution via bots).
- **What could have been done better:** Increased education for the public regarding the risks of sideloading applications from unverified sources, particularly those obtained via social media messaging apps promising financial benefits.
## Recommendations
- **Prevention measures for similar incidents:** End-users should be strongly discouraged from installing APKs from unverified sources, even if shared through known contacts or groups on messaging platforms like Telegram. Ensure Google Play Protect or equivalent security software is active and monitor for excessive permission requests during application installation. Individuals should verify all government aid programs through official, secure web portals rather than responding to direct messages or links.