A new and concerning Android malware family, known as Qwizzserial, has surfaced, posing a significant threat to users, particularly in Uzbekistan. This malware, identified by Group-IB in March 2024, functions as an SMS stealer, adept at intercepting two-factor authentication (2FA) codes and pilfering sensitive banking information, thereby jeopardizing personal and financial security.
Qwizzserial cleverly disguises itself as legitimate applications, such as financial assistance tools or banking apps, enticing unsuspecting users to install malicious APKs. The malware often spreads through deceptive messages and channels on Telegram, leading users into a false sense of security.
Emerging Threat in Uzbekistan
With an estimated 100,000 infections across approximately 1,200 samples, the malware’s reach is alarmingly extensive, and its daily emergence rate continues to escalate, as highlighted by Group-IB’s telemetry data.
The operational tactics of Qwizzserial are characterized by a blend of social engineering and technical sophistication. Threat actors distribute the malware via Telegram, employing enticing file names such as “Are these your photos?” or impersonating government services to evoke curiosity or urgency among potential victims.
Fraudsters bolster their credibility by establishing fake Telegram channels that mimic official entities, including “Moliyaviy Yordam” (Financial Assistance), and even disseminate falsified presidential decrees to enhance their scams.
Sophisticated Distribution via Telegram
Upon installation, the malware, typically written in Kotlin, requests permissions for phone calls and SMS access, persistently prompting users until these permissions are granted. Once access is obtained, it exfiltrates critical data, including bank card details, phone numbers, and SMS messages, utilizing Telegram bots or gate servers like hxxp://llkjllj[.]top for data transmission.
Advanced variants of Qwizzserial employ obfuscation tools such as NP Manager and Allatori Demo. Some variants even request users to disable battery optimization to ensure persistent background operation, highlighting an evolution in their persistence mechanisms.
The financial impact of Qwizzserial is staggering, with a single group reportedly generating around US,000 between mid-March and mid-June 2025, as disclosed on their Telegram “Profits” channel.
The malware exhibits a Pareto distribution pattern, where approximately 25% of samples account for 80% of infections, with those masquerading as financial institutions achieving the highest distribution rates. Beyond initial data theft, Qwizzserial intercepts incoming SMS messages using broadcast receivers, specifically targeting banking notifications and large transactions exceeding 500,000 UZS (approximately US-39).
This persistent threat capitalizes on the local banking sector’s reliance on SMS authentication, rendering it particularly effective in Uzbekistan.
In response, Group-IB has developed detection methods within its Fraud Protection system to identify both known Qwizzserial samples and emerging SMS stealers through behavior-based rules, providing a proactive defense against these evolving threats.
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| Network Indicator | llkjllj[.]top |
| SHA256 (Sample) | ea6a11a6e5da7a82bbcaca86c3d35b22f241b20f6ba5ae5e48eded99e19f6aa5 |
| SHA256 (Sample) | 8dd5f2f406ce0d11a3c75d511b69350ba1160ed780b6b4a0f3193eb087553cca |
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
