Full Report
1. Overview Smartphones have become an essential tool in modern society and are at the center of everyday life. However, this has led to a continuous increase in mobile malicious crimes. Among them, smishing is a major means of executing various crimes including personal information theft, credential abuse, and sextortion by distributing phishing pages […]
Analysis Summary
# Tool/Technique: Smishing Attacks (Android)
## Overview
Smishing (SMS Phishing) is a major method used in mobile malicious crimes on the Android platform to distribute phishing pages and URLs leading to the download of malicious applications. The goal is to execute crimes such as personal information theft, credential abuse, and sextortion.
## Technical Details
- Type: Technique/Attack Vector (Malicious Application Distribution via SMS)
- Platform: Android
- Capabilities: Luring victims via trusted sources (public institutions, acquaintances), deploying phishing pages, and installing covert malicious applications.
- First Seen: Ongoing threat, analysis based on 2024 data.
## MITRE ATT&CK Mapping
This description primarily relates to initial access and deception techniques:
- **TA0001 - Initial Access**
- **T1566 - Phishing**
- T1566.001 - Spearphishing Attachment (If followed by app download)
- T1566.004 - Phishing: SMS (Smishing)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Used in the presentation of phishing sites)
## Functionality
### Core Capabilities
* **Social Engineering Lures:** Impersonating public institutions (Ministry of the Interior and Safety, National Health Insurance Service, Korea Post), acquaintances (congratulatory messages, coincidental meetings), financial gain opportunities (investment scams), or social/sexual encounters ("Meeting Grades").
* **URL Distribution:** Sending malicious URLs embedded within SMS messages.
* **Phishing Site Delivery:** Directing users to fake landing pages that match the context of the lure (e.g., petition/insurance apps, login pages).
* **Malicious App Installation:** Using the pretense of necessary services (like petition or insurance apps) to trick users into installing malicious applications.
### Advanced Features
* **Credential Theft and Account Takeover (Telegram Focus):** Specifically targeting Telegram accounts by tricking users into entering verification codes on phishing sites. This allows threat actors to log in, disable device synchronization, and lock the legitimate user out.
* **Advanced Relationship Building:** In investment scams, threat actors establish relationships via social media messaging (likes/comments) before introducing investment fraud.
* **Coordinated Crime:** Use of infected devices to steal accounts, monitor victims, and redistribute further smishing messages.
## Indicators of Compromise
* **File Hashes:**
* MD5: `030162b38862c2132df1e8f1453642d8`, `03e734aee342f960b82c23065164232a`, `0831192e148392cbc7e8d1e254d06bd0`, `0aee15d31615184c74840f8df2195cea`, `15276fe562bfe4ecb5b2ee1ce53183c1`
* **File Names:** Malicious apps installed under the guise of official services (e.g., Petition apps, Insurance apps).
* **Registry Keys:** Not specified in the context.
* **Network Indicators:** Malicious URLs distributed via SMS leading to phishing sites designed to steal credentials or distribute malware. C2 servers receive validation codes (for Telegram takeover). (No specific defanged domains/IPs provided in the context).
* **Behavioral Indicators:** Attempting to gain access to SMS/notification content; requests for high-privilege permissions common in Android malware; post-login actions on Telegram involving disabling synchronization.
## Associated Threat Actors
The report details the *methods* used by threat actors, including those specialized in financial fraud (investment scams) and account takeover (Telegram). Specific named groups were not mentioned in the context provided.
## Detection Methods
* **Signature-based detection:** Signatures for the listed file hashes.
* **Behavioral detection:** Monitoring of device interactions that lead to installation prompts or unusual requests for OS permissions post-click. Detection of users inputting Telegram verification codes on non-official websites.
* **YARA rules:** Not available in the context summary.
## Mitigation Strategies
* **Prevention Measures:** Educating users on recognizing smishing attempts, especially those impersonating official government/financial services.
* **Hardening Recommendations:** Users should be highly suspicious of unsolicited links in SMS/messaging apps, regardless of the sender's apparent identity. Employees should verify official requests through established, separate channels rather than clicking embedded links. For Telegram, maintain vigilance regarding verification codes; never enter them on external sites.
## Related Tools/Techniques
* SMS Spam/Smishing campaigns.
* Credential harvesting phishing pages (mimicking institutional logins).
* Financial/Investment scamming techniques utilizing personalized social engineering.