Uzbekistan Telegram Users Hit by Sophisticated Android SMS-Stealer Campaign in 2024
Executive Summary
In early 2024, Android users in Uzbekistan experienced a surge of targeted attacks as cybercriminals deployed SMS-stealer malware through phishing campaigns delivered via Telegram. The attackers leveraged fake and malicious applications purpose-built to intercept and exfiltrate SMS messages, enabling unauthorized access to multi-factor authentication codes and banking credentials. Threat actors demonstrated increasing sophistication and adaptability by iterating on malware variants, incorporating obfuscation tactics, and exploiting the popularity of Telegram as a distribution channel. This resulted in significant risks of financial theft and compromised user privacy across a large segment of Uzbek Android device users.
This incident highlights the evolving landscape of mobile infostealer attacks in Central Asia, with a marked uptick in the use of instant messaging platforms as malware delivery vectors. The swift adaptation of criminal tactics underscores the necessity for organizations and individuals to strengthen mobile endpoint security and remain vigilant against increasingly convincing phishing and sideloading threats.
Why This Matters Now
The ongoing wave of SMS-stealer malware in Uzbekistan exemplifies a broader trend of cybercriminals targeting emerging digital markets with region-specific attacks. As threat actors refine their methods and leverage widely trusted messaging platforms, organizations must act swiftly to address mobile security gaps and educate users on safe app installation practices to prevent widespread credential compromise.
Attack Path Analysis
Attackers initiated compromise by distributing Android SMS-stealer malware, likely via phishing or malicious applications targeting Uzbek Telegram users. Upon infection, the malware leveraged permissions to gain access to SMS and potentially escalate privileges by abusing device management APIs or exploiting misconfigurations. The malware sought to move laterally by accessing other messaging apps, contacts, or cloud-stored data on the device. It established command and control channels to communicate with attacker infrastructure and receive updated instructions. Stolen SMS data and sensitive information were exfiltrated over the network to threat actor-controlled servers. The impact included the potential takeover of user accounts, privacy violations, and broader financial or reputational losses for victims.
Kill Chain Progression
Initial Compromise
Description
Victims were tricked into installing malicious Android SMS-stealer apps, likely via phishing links or trojanized downloads targeting Telegram users.
Related CVEs
CVE-2025-48633
CVSS 7.5An information disclosure vulnerability in Android versions 13 through 16 allows attackers to access sensitive information without user interaction.
Affected Products:
Google Android – 13, 14, 15, 16
Exploit Status:
exploited in the wildCVE-2025-48572
CVSS 7.8An elevation of privilege vulnerability in Android versions 13 through 16 allows attackers to gain higher privileges without user interaction.
Affected Products:
Google Android – 13, 14, 15, 16
Exploit Status:
exploited in the wildCVE-2025-48631
CVSS 7.5A denial-of-service vulnerability in the Android Framework allows remote attackers to cause a device to become unresponsive.
Affected Products:
Google Android – 13, 14, 15, 16
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Mapped techniques reflect SMS-stealer malware targeting Android devices and supporting security research use cases. Further enrichment available with STIX/TAXII feeds.
Deliver Malicious App via Authorized App Store
User Execution: Malicious Application
Access Sensitive Data or Credentials in Files
Capture SMS Messages
Application Layer Protocol
Obfuscated Files or Information
Download New Code at Runtime
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for User Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 9(2)(b)
CISA ZTMM 2.0 – Continuously Assess Mobile Device Security Posture
Control ID: ZT-DEVICE-2
NIS2 Directive – Incident Handling and Response Capabilities
Control ID: Article 21 (2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Android SMS-stealer malware targeting Telegram users threatens SMS routing infrastructure, requiring enhanced encrypted traffic protection and egress security controls.
Banking/Mortgage
SMS-based authentication systems face compromise from evolving infostealer malware, necessitating zero trust segmentation and anomaly detection for financial transactions.
Government Administration
Uzbek government communications via Telegram vulnerable to SMS interception, demanding multicloud visibility controls and threat detection capabilities for national security.
Financial Services
SMS-stealer malware threatens two-factor authentication systems, requiring inline IPS protection and egress policy enforcement to prevent credential theft.
Sources
- Uzbek Users Under Attack by Android SMS-Stealershttps://www.darkreading.com/cyber-risk/uzbek-users-android-sms-stealersVerified
- Android SMS Stealer Infects 100,000 Devices in Uzbekistanhttps://www.infosecurity-magazine.com/news/android-sms-stealer-100000/Verified
- Discovery of Qwizzserial: A New Android SMS Stealer Familyhttps://blog.netmanageit.com/discovery-of-qwizzserial-a-new-android-sms-stealer-family/Verified
- Google just fixed 107 security flaws including two zero-days - update your Android phone right nowhttps://www.tomsguide.com/computing/online-security/google-just-fixed-107-security-flaws-including-two-zero-days-update-your-android-phone-right-nowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
A multi-layered Zero Trust approach incorporating network segmentation, workload visibility, anomaly detection, and strict egress controls could have detected or blocked critical stages such as lateral movement, C2 communication, and exfiltration, significantly limiting the attack's reach and impact.
Control: Threat Detection & Anomaly Response
Mitigation: Early identification of suspicious connections or device behavior.
Control: Zero Trust Segmentation
Mitigation: Limit malware access to sensitive internal services or APIs.
Control: East-West Traffic Security
Mitigation: Detect and prevent unauthorized internal traversal.
Control: Egress Security & Policy Enforcement
Mitigation: Block or restrict outbound communications to unapproved destinations.
Control: Cloud Firewall (ACF)
Mitigation: Prevent unauthorized data exfiltration over cloud or hybrid links.
Enhance visibility for rapid detection and response to suspicious activities post-compromise.
Impact at a Glance
Affected Business Functions
- Mobile Banking
- Messaging Services
- User Authentication
Estimated downtime: 7 days
Estimated loss: $62,000
The malware campaign led to unauthorized access to SMS messages, including one-time passwords (OTPs) for banking and authentication, resulting in financial fraud and potential compromise of personal data.
Recommended Actions
Key Takeaways & Next Steps
- • Apply Zero Trust segmentation to limit application and service access from compromised devices.
- • Enforce strict outbound (egress) controls and FQDN filtering to prevent unauthorized C2 and data exfiltration from user environments.
- • Deploy threat detection and continuous anomaly monitoring to identify suspicious device behavior early.
- • Enable east-west traffic visibility to catch lateral movement attempts across device, app, or network boundaries.
- • Regularly update policy enforcement and cloud firewall controls to match emerging mobile malware and infostealer TTPs.
