Qwizzserial Android Malware Poses as Legit Apps to Steal Banking Info and Bypass 2FA via SMS Interception

A newly identified Android malware family, known as Qwizzserial, has surfaced as a notable threat in Uzbekistan, cleverly disguising itself as legitimate financial and government applications. This malware primarily spreads through Telegram, utilizing deceptive channels and messages that impersonate government authorities and financial institutions. Fraudsters lure victims with enticing offers such as financial assistance or urgent notifications, often employing Telegram bots to create customized malicious APKs featuring convincing names and logos. Such tactics are meticulously crafted to exploit public trust, thereby increasing infection rates among users who heavily depend on SMS-based services for payment and authentication.

Technical Evolution

Upon installation, Qwizzserial aggressively requests permissions related to SMS and phone state. Once these permissions are granted, it prompts users to input sensitive information, including phone numbers and bank card details. The malware exfiltrates this data using the Telegram Bot API or, in its more recent variants, via HTTP POST requests to a gate server, ultimately routing the information to Telegram bots for further processing. Notably, Qwizzserial is engineered to intercept all incoming SMS messages, including one-time passwords (OTPs) used for two-factor authentication (2FA). It can also extract financial information by scanning messages for keywords and large transaction amounts.

The infection process is highly automated and organized, resembling the structure of the Classiscam scheme. Telegram bots facilitate the generation of new malware samples, while internal group chats coordinate activities among administrators, developers, and “workers” responsible for distributing the APKs. This operation features multiple communication layers, including profit channels that showcase illicit earnings to motivate participants and onboarding channels for new recruits. Recent samples of Qwizzserial have incorporated advanced obfuscation techniques, utilizing tools such as NP Manager and Allatori, and have improved persistence by prompting users to disable battery optimization. The malware’s ongoing evolution is evident, with unused code artifacts suggesting future enhancements in evasion and data exfiltration capabilities.

Scale of Infections

Analysts from Group-IB have tracked approximately 100,000 infections linked to Qwizzserial, with confirmed financial losses exceeding US,000 within a three-month span. The campaign’s infection pattern follows a Pareto distribution, where a small subset of malware samples accounts for the majority of infections. Samples impersonating financial institutions have proven particularly effective, each resulting in thousands of compromised devices. The malware’s capability to intercept SMS messages and bypass SMS-based 2FA presents a significant risk in Uzbekistan, where local payment systems and banking applications predominantly rely on SMS for user authentication and transaction confirmation.

By capturing OTPs and other sensitive data, attackers can gain unauthorized access to user accounts, transfer funds, and bind victim cards to fraudulent wallets. Security solutions such as Group-IB’s Fraud Protection system have developed signature-agnostic detection rules capable of identifying both known and novel Qwizzserial samples by monitoring for sideloaded applications that request SMS permissions. Organizations are encouraged to implement proactive user education, session monitoring, and threat intelligence integration to mitigate the risk of infection. End-users are advised to refrain from installing applications from untrusted sources, scrutinize app permissions, and remain vigilant against offers that seem too good to be true.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates