Telegram distribution

A new Android malware family named Qwizzserial has emerged, primarily affecting users in Uzbekistan. Identified by Group-IB in March 2024, it functions as an SMS stealer that intercepts two-factor authentication codes and banking information. The malware disguises itself as legitimate applications and spreads through deceptive messages on Telegram, leading to approximately 100,000 infections from around 1,200 samples. Qwizzserial employs social engineering tactics, such as enticing file names and fake Telegram channels, to lure victims. Once installed, it requests permissions for phone calls and SMS access to exfiltrate sensitive data using Telegram bots. Advanced variants utilize obfuscation tools and may request users to disable battery optimization. The financial impact is significant, with one group reportedly generating around 0,000 between mid-March and mid-June 2025. The malware targets banking notifications and large transactions, exploiting the local banking sector's reliance on SMS authentication. Group-IB has developed detection methods to combat this threat.