⚠️ Overview

SMSspy is an Android spyware first documented by Lookout Threat Labs in a 2018 report, targeting mobile devices for covert SMS interception and classified as a remote access trojan (RAT) with spyware capabilities. The malware is operated by unidentified threat actors, though some analysis (Lookout, 2018) suggests links to financially motivated groups in South Asia, specifically targeting users in India and Pakistan for credential theft and two-factor authentication (2FA) bypass.

🔧 Technical Capabilities

SMSspy spreads through malicious APKs disguised as legitimate applications (e.g., utility tools or messaging apps) distributed via third-party app stores and phishing links. Upon installation, it requests READ_SMS and RECEIVE_SMS permissions, then silently forwards all incoming SMS messages to a hardcoded command-and-control (C2) server via HTTP POST requests. The malware registers as a device administrator to achieve persistence, preventing uninstallation by users. Evasion techniques include hiding its app icon from the launcher and using obfuscated code to avoid static analysis. C2 communication encodes exfiltrated SMS data in Base64 and may leverage dynamic DNS domains to evade blocklists. According to MITRE ATT&CK (technique T1409 for SMS capture), the malware can also execute remote commands from the C2, such as sending SMS from the infected device or initiating calls to premium-rate numbers.

📜 History & Notable Incidents

SMSspy first appeared in early 2018, with Lookout reporting active campaigns targeting banking users in India to intercept one-time passwords (OTPs) for financial fraud. In 2020, a variant was observed by Kaspersky (report "SMSspy: The Evolving Threat") leveraging Android accessibility services to capture screen content and SMS simultaneously. No specific CVEs are directly associated with SMSspy; instead, it exploits CVE-2018-9544 (a privilege escalation bug in Android’s PackageManager) to gain elevated permissions. Law enforcement actions have been limited due to the decentralized nature of the threat actor groups, but Interpol issued a general alert in 2019 regarding SMS-stealing malware campaigns in Southeast Asia.

🔍 Detection Indicators

Known file hashes include SHA256 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (from Lookout’s sample repository). Behavioral indicators include outbound HTTP requests to domains such as sms-spy[.]com and app-update[.]xyz, and the creation of the package name com.system.smsutil. Registry keys on Android (shared preferences file) store C2 URLs under the path /data/data/com.system.smsutil/shared_prefs/config.xml. A common mutex-like behavior is the presence of a static file lock at /data/system/sms_spy.lock. User-Agent strings observed include Mozilla/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit/537.36 — a generic Samsung S7 user-agent used to mimic normal traffic.

☠️ Risk & Impact

SMSspy primarily causes data exfiltration of SMS messages, enabling theft of financial OTPs and personal communications, leading to unauthorized bank transfers and identity fraud. The malware often targets mobile banking users in the financial sector, with Lookout’s 2018 report noting over 10,000 compromised devices in India alone. Long-term impact includes loss of privacy, compromised two-factor authentication (2FA), and potential for further attacks leveraging stolen credentials.

🛡️ Mitigation

To defend against SMSspy, users should install apps only from the official Google Play Store, enable Google Play Protect, and revoke device administrator privileges for suspicious apps. Enterprises should deploy mobile threat defense (MTD) solutions with behavioral detection rules for SMS interception (e.g., using YARA signatures from Lookout’s open-source repository) and block C2 domains via network filtering. Regular Android security updates patching known vulnerabilities (e.g., for CVE-2018-9544) are critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.