Qwizzserial Android Malware Poses as Legit Apps to Steal Banking Info and Bypass 2FA via SMS Interception

A newly identified Android malware family, dubbed Qwizzserial, has emerged as a significant threat in Uzbekistan, targeting users by masquerading as legitimate financial and government applications.

The malware is distributed primarily through Telegram, leveraging deceptive channels and messages that impersonate government authorities and financial institutions.

Fraudsters entice victims with offers such as financial assistance or urgent notifications, often using Telegram bots to generate customized malicious APKs with convincing names and logos.

These tactics are designed to exploit public trust and increase infection rates among users who rely heavily on SMS-based services for payment and authentication.

Technical Evolution

Qwizzserial operates by aggressively requesting permissions related to SMS and phone state upon installation.

Once granted, it prompts users to input sensitive data, including phone numbers and bank card details.

The malware then exfiltrates this information using the Telegram Bot API or, in recent variants, via HTTP POST requests to a gate server, with the data ultimately routed to Telegram bots for further processing.

The malware is engineered to intercept all incoming SMS messages, including one-time passwords (OTPs) used for two-factor authentication (2FA), and is capable of extracting financial information by scanning messages for keywords and large transaction amounts.

The infection process is highly automated and organized, mirroring the structure of the Classiscam scheme.

Telegram bots facilitate the generation of new malware samples, while internal group chats coordinate activities among administrators, developers, and “workers” responsible for distributing the APKs.

The operation features multiple communication layers, including profit channels that showcase illicit earnings to motivate participants, and onboarding channels for new recruits.

Recent Qwizzserial samples have incorporated advanced obfuscation techniques, utilizing tools such as NP Manager and Allatori, and have improved persistence by prompting users to disable battery optimization.

The malware’s evolution indicates ongoing development, with unused code artifacts suggesting future enhancements in evasion and data exfiltration capabilities.

Scale of Infections

Group-IB analysts have tracked approximately 100,000 infections attributed to Qwizzserial, with at least US$62,000 in confirmed financial losses within a three-month period.

The campaign’s infection pattern follows a Pareto distribution, where a small subset of malware samples accounts for the majority of infections.

Samples impersonating financial institutions have proven particularly effective, each resulting in thousands of compromised devices.

The malware’s ability to intercept SMS messages and bypass SMS-based 2FA poses a severe risk in Uzbekistan, where local payment systems and banking apps predominantly rely on SMS for user authentication and transaction confirmation.

By capturing OTPs and other sensitive data, attackers can gain unauthorized access to user accounts, transfer funds, and bind victim cards to fraudulent wallets.

Security solutions such as Group-IB’s Fraud Protection system have developed signature-agnostic detection rules capable of identifying both known and novel Qwizzserial samples by monitoring for sideloaded applications requesting SMS permissions.

For organizations, proactive user education, session monitoring, and threat intelligence integration are recommended to mitigate the risk of infection.

End-users are advised to avoid installing applications from untrusted sources, scrutinize app permissions, and remain vigilant against offers that appear too good to be true.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates