First discovered by the cybersecurity firm Avast, SMSFactory uses a number of tricks to siphon money from victims in the U.S., France, Spain, Turkey, Argentina, Brazil, Russia and other countries around the world. Once installed on a victim’s device, SMSFactory sends premium SMS messages and makes calls to premium-rate phone numbers as part of a conversion scheme where these small charges can quickly add up. If not detected and removed, the malware can rack up charges of up to $7 per week or $336 per year according to a blog post (opens in new tab) from Avast. Another version of the malware found by the firm is capable of extracting a victim’s contact list to help it spread to more devices.
Distributed via malvertising and malicious app stores
SMSFactory is spread through a number of means including malvertising, push notifications and alerts shown on sites offering game hacks, adult content or free streaming services. The malware itself is disguised as an app that provides this type of content but once installed, it hides on a victim’s device and can be quite difficult to detect. A series of websites have been set up by cybercriminals with the goal of spreading and remotely controlling SMSFactory. In the past year alone, Avast has reportedly protected over 165,000 of its users from falling victim to this malware, with the highest number of users protected in Russia, Brazil, Argentina, Turkey and Ukraine. According to a tweet (opens in new tab) from the antivirus maker ESET, SMSFactory is also currently being distributed by two malicious Android app stores: APKMods and PaidAPKFree. Both of these stores lack vetting and as such, the Android package files (APKs) they host, can be used to distribute malware and other viruses.
How SMSFactory hides on your smartphone and remains undetected
If a user downloads SMSFactory from either a website or app store, they are shown how to ignore warnings from Google Play Protect so that the malware can be successfully installed on their Android smartphone. Once installed, a welcome screen appears that requires a user to click “ACCEPT” before they are presented with a basic menu of videos, adult content and games that either don’t work or aren’t available most of the time. In order to remain undetected after installation, the apps used to distribute SMSFactory have a black icon and can hide by removing their app icon from a victim’s home screen. As these apps also don’t have an application name, they can be difficult to find and remove. From here, the malware sends a unique ID allocated to an infected device along with its location, phone number, mobile carrier information and phone model to a pre-set domain. If the cybercriminals behind this campaign find the device is usable, this domain sends instructions back to the smartphone which could either be a list of phone numbers to send premium text messages to or a specific number the app will try to call. Either way, a victim will see excessive charges on their next phone bill. While the exact amount depends on the commands sent by SMSFactory’s operators, in Avast’s testing, the firm has seen a daily $1 charge through ten SMS messages sent that can reach up to $28 by the end of the month.
Avoiding SMSFactory and other mobile malware
Installing a mobile antivirus on your smartphone can help protect you from malware, especially if you often install apps from unknown sources. This is sometimes unavoidable as certain companies prefer to host their apps directly on their sites as opposed to distributing them through an app store. Avast also recommends that users remain cautious when downloading new apps and this is especially true for apps advertised in short and catchy videos or through push notifications in your browser. When it comes to SMSFactory though, disabling or limiting premium SMS with your mobile carrier can help you avoid racking up an expensive phone bill if you happen to become infected. Disabling premium SMS features or at the very least, setting a limit will significantly negate the potential impact of this and other TrojanSMS campaigns. This is also worth doing on your children’s devices as kids often fall for these kinds of tricks especially when trying to install mods or other hacks for their mobile games.