SMS attacks are malicious threats that use short message service (SMS) and other mobile-based messaging applications to engage in cyberattacks. These attacks utilize malicious software and websites to enact damage to users.
SMS attacks can lead to theft of private data and spreading malware to other users. Attacks based on SMS and other text messaging may use many tools to execute their efforts. However, these attacks most commonly make use of malicious software — or malware.
In essence, SMS malware is any malicious software delivered to victims by text messaging.
While malware may be delivered to mobile devices via email and many other means, SMS malware is promoted by a text. The efforts of this harmful software are designed to breach and operate on a mobile device without the user’s permission.
Once on a device, the malware can then cause any number of detrimental effects. Most of these revolve around the following categories:
All mobile devices are vulnerable to SMS malware and text messaging attacks. Devices affected often run Google’s Android platform, as it runs on the majority of the world’s smartphones and tablets. While this highly-used platform is an ideal target for hackers, SMS malware can also target Apple’s iOS — despite misconceptions of being malware-free.
If anything, these threats cement the importance of anti-malware on mobile devices.
SMS-based malware threats continue to grow year on year and will continue to pose a major risk to mobile device users in the years to come. As one type of SMS attack, these and other threats in the category pose a significant threat to all mobile users.
SMS attacks deliver malicious URL links via text message, typically leading to a website or download. Users that engage with these links may unknowingly harm themselves, either by downloading harmful code or revealing sensitive information.
To enact an SMS attack, a threat actor typically structures it in the following phases:
Attackers prepare by finding ways to share a threat through a mobile subscriber network. They also must set up any channels that deliver their malicious software or harvest user information. Once an attacker has prepared themselves to distribute their malicious texts, they expose users to the threat.
Unlike some other threats, SMS attacks are mostly designed around social engineering tactics to deceive victims into compromising themselves. Urgency is a key trait that attackers use to drive a victim into action. After getting a user to engage with a link, the attacker can then execute their will upon a user’s device and any connected services.
It’s worth noting that some SMS-based attacks may deviate from this structure. However, many common attacks tend to utilize the distribution and exploitation model detailed above.
As a result, SMS attacks can affect users directly, as well as damage a cellular or mobile messaging service provider’s reputation and congest networks.
The spread of SMS malware may happen at the onset of an attack and subsequent user infections. By name, SMS malware means some aspect of the threat must involve the malicious use of SMS (or another text-based mobile messaging service) and malware.
While the name might suggest exclusive spread through SMS texts, this malware can spread through other means as well. Initial and subsequent infection vectors may involve mobile messaging applications, including any mobile data-based messaging service such as WhatsApp, Apple iMessage, and Facebook Messenger.
Some cases may involve users getting infected by SMS malware outside of mobile texting. Emails, websites, and other networked services can deliver malware that causes SMS attacks. This can then trigger users to be unwitting spreaders of SMS-based malware threats.
When discussing SMS malware, there are two distinct threats to understand:
Indirect distribution, attackers use mobile networks or messaging services to send their malware-bait texts to users. Often, attackers automate their text messaging using malicious code to avoid manually contacting each user.
In secondary distribution, infected users spread the threat to other people in their contacts. The initial infection results from an attacker planting malicious code in places a user might expose themselves. This malicious code is capable of spreading malware once a user is infected.
Malicious apps, emails, and social media posts and messages are all common sources of this secondary “hijack” threat. The malicious code then may abuse a user’s contact list to send SMS attack messages.
Alternatively, an attacker’s malicious code may overtake a user’s mobile device as part of a botnet. This allows an attacker to send commands to it, doing more than a preprogrammed set of actions. This can include harvesting a user’s contacts to be used in a larger attack target list or executing other attack types like DDoS attacks. Sometimes, backdoor access is created to make a persistent threat.
Among the many SMS attack threats, here are some notable types:
SMS phishing, or “smishing,” involves an attacker posing as a trusted person or institution via text messaging to deceive users into compromising themselves.
Users may be baited into a malware infection, sending money, or guiding into disclosing private info, such as account credentials or banking numbers.
Phishing itself has been a popular cyberattack for years: people tend to be less skeptical of messages when they are from a person or organization they trust. Plus, urgent messages exploiting human trust alongside simple malicious links and file attachments can fool even savvy internet users.
Mobile malware is any malicious software that runs on mobile devices. These attacks involve the creation and distribution of malware by cybercriminals designed to target a victim’s mobile device. This is often the payload of other SMS attacks, such as smishing. Frequent offenders include:
Premium-rate SMS scams involve the unauthorized signup of users to subscription message services. Victims incur unwanted bills on their phone statement and may even be paying the attacker if the criminal runs these services.
A premium-rate SMS service might be for daily horoscopes or other conveniences. While these can be legitimate, attackers abuse this system to cause inconveniences or profit.
Sometimes, malware such as a Trojan may infect devices to trigger joining premium-rate services. These Trojans and other malware are designed to make unauthorized calls or send unauthorized texts without the user’s knowledge or consent. These calls and texts are subsequently directed to chargeable SMS text services or premium-charge numbers. These are operated by the cybercriminal, generating significant revenue streams for cybercriminal networks.
SMS attacks have been increasing over the years, especially as mobile use has risen globally. Here are some more recent attacks to be aware of:
In early 2020, a banking trojan called EMOTET was used by cybercriminals to trick customers into credential theft and malware infection through text messages (SMS). They posed as trusted United States banks in urgent-sounding text messages — such as “Savings Bank ACC LOCKED” — and included a malicious web link for targeted customers to resolve the fake issue. Attackers used local phone numbers and formatted the message similarly to typical automated alert texts, causing victims to panic and click.
Victims that open the malicious link arrive at a fraudulent bank login page, which (if used) captures the user’s account credentials — without them knowing. Victims then enter phase two of the attack by downloading a document prepared with malicious code in the form of macros.
Emotet’s worm-like replication and its anti-malware evasion methods make this threat a substantial risk. While now delivered via a standard smishing attack, the Emotet malware has spread since 2014 (it took a short hiatus in mid-2019) via an ever-changing roster of channels. Its continuous evolution makes it a threat to keep an eye on.
In July 2019, reports of new ransomware targeting Google Android devices had begun to surface. Known as Android/Filecoder.C, this threat spreads via text message and can lock down your phone files via data encryption. This allows attackers to demand a ransom in exchange for access to your files.
This threat has been around since July 2019, spreading via web forums such as Reddit. The bait is typically pornographic content, hiding links under URL-shortening services like bit.ly.
Android-based victims of this link are infected with malware, sending texts containing another malicious link to every one of their phone contacts. This text link promotes an app, which will silently run ransomware in the background if installed.
What can you do to keep yourself safe from an SMS attack? Here are some key tips to guide your protection efforts:
Ultimately, by installing effective anti-malware software, you can defend your mobile devices against Trojans and other malicious threats that initiate SMS attacks. We recommend Kaspersky Total Security: it protects all your devices (mobile, desktop, laptop, tablet) against Trojans, phishing scams, and other malware attacks.