Clicking on the link downloads a trojanized Android application disguised as a Google Chrome browser. The malware then asks the user to allow installation, and requests permissions to access SMS, contacts, local storage and phone calls history. Once the user grants permissions, this malware installs itself and collects information about the device, such as smartphone model, software version, Wi-Fi and cellular network status, and preferred language and sends it all to the cybercriminals' command and control server. The Trojan's main functionality is to intercept SMS, steal user contacts, and to send SMS spam. As such malware operators can get access to the OTPs, for example, or use the collected information to launch further targeted access against the victim or people from their contact list for monetary gain.
Group-IB researchers assess with high confidence that the Trojan was initially designed to target South Korean users, because part of its code is used to find out which South Korean operator the SIM card belongs to.
While the number of SMS recipients and victims remains unknown, using its network graph analysis tool, Group-IB researchers established that the domain in question is part of complex cybercriminal infrastructure that hosts a total of 107 websites
. Out of 107, 85 are look-alike domains impersonating SingPost. Other malicious websites' names closely resemble popular postal service brands from the USA, Sweden, Germany, Finland, and Denmark which gives Group-IB researchers reasonable ground to believe that the campaign was not limited to Singapore. All the domains were registered between December 25, 2020, and March 1, 2021 and share the same naming pattern. Let's turn to Group-IB's graph: