A sophisticated Android malware campaign, known as Qwizzserial, has emerged as a significant threat to banking security in Central Asia, particularly affecting users in Uzbekistan. This malware represents a troubling evolution in mobile banking fraud, taking advantage of the region’s reliance on SMS-based authentication for financial transactions.
Initially identified in mid-2024, Qwizzserial remained relatively quiet before experiencing a dramatic surge in both distribution and impact. The malware operates by disguising itself as legitimate applications, using names such as “Presidential Support” and “Financial Assistance,” and even imitating established banking apps to deceive unsuspecting users into installation.
Analysts from Group-IB uncovered this malware during their investigations into related Android threats, noting its sophisticated distribution network, which closely resembles the well-documented Classiscam fraud infrastructure. To date, the campaign has reportedly infected around 100,000 users, resulting in documented financial losses exceeding ,000 within just three months of its active operation.
The primary distribution channel for Qwizzserial is Telegram, where cybercriminals create convincing channels that pose as government entities offering financial assistance programs. The scale and sophistication of this operation indicate a well-organized criminal enterprise, complete with defined roles such as administrators, workers, malware developers, and specialized “vbivers” who verify stolen card details for fraudulent withdrawals.
This structured approach has facilitated a rapid increase in infections across the targeted region, with new variants of the malware appearing at an alarming rate.
Technical Analysis of Infection Mechanism
The infection mechanism employed by Qwizzserial showcases meticulous engineering aimed at maximizing data theft while ensuring persistence on victim devices. Upon installation, the malware promptly requests critical permissions necessary for its operation:
android.permission.READPHONESTATE
android.permission.CALL_PHONE
android.permission.RECEIVE_SMS
android.permission.READ_SMSThese persistent permission requests continue to prompt users until access is granted. Once permissions are secured, victims are confronted with a convincing interface that requests two phone numbers and complete banking card details, including expiration dates.
Qwizzserial’s data collection capabilities extend beyond initial user input; it systematically harvests existing SMS messages, packaging them into ZIP archives that separate inbox, sent, and miscellaneous messages. A sophisticated regex pattern is employed to identify balance-related communications: new Regex("b(Balance|Balans|Summu|Summa|Summ|Dostupno|Izmenen|Vklad|Amount|Availab"), enabling targeted financial intelligence gathering.
Recent iterations of the malware have incorporated obfuscation techniques using NP Manager and Allatori Demo, alongside enhanced persistence mechanisms that disable battery optimization restrictions. The malware now utilizes HTTP POST requests to gate servers rather than relying on direct Telegram API communication, demonstrating an ongoing commitment to refining its operational security measures.
As the threat landscape evolves, understanding the behavior of such malware becomes crucial for making informed security decisions. Tools like ANY.RUN can assist in investigating live malware behavior and tracing each step of an attack, enabling faster and more intelligent responses to these emerging threats.
