1,000+ Telegram Bots Exposed: Indonesian OTP Theft Ring Uncovered
Malefactors are increasingly utilizing Telegram as a command-and-control (C2) server for malware. A recent study by Positive Technologies identified over a thousand Indonesian-origin Telegram bots employed to intercept one-time passwords (OTPs) necessary for accessing various services and user accounts. Victims of these attacks include not only residents of Indonesia but also Russia and Belarus.
The majority of the malware analyzed by the experts consists of two types of stealers—SMS Webpro and NotifySmsStealer. These malefactors do not create their malware from scratch but use pre-made templates. The class structures, names, and code of these stealers are identical, differing only in their C2 servers and the format of messages in Telegram. NotifySmsStealer distinguishes itself from SMS Webpro by its ability to steal information not only from messages but also from notifications.
An example of a website that opens when the .apk is launched
These attacks target ordinary users who receive phishing messages with an attachment in the form of an APK file. Upon downloading this file, the victims unwittingly install the SMS stealer on their phones, allowing the malefactors to intercept OTPs for service logins. Once in possession of a one-time password from a bank account, the criminals can withdraw funds from the victim’s account.
Positive Technologies experts, during their investigation of Telegram bots, discovered numerous Indonesian-origin chats that attract significant attention daily with a large volume of messages and victims. They found that the spread of SMS stealers often began with phishing attacks on WhatsApp. As bait, the malefactors used wedding invitations, bank notifications, and other documents.
According to the specialists, the majority of those affected by these attacks are citizens of Indonesia, with the number of victims numbering in the thousands. In India and Singapore, the number of malware downloads reached several dozen. Unique types of stealers operate in India and Bangladesh. In Russia, Belarus, and Malaysia, isolated cases of attacks have been recorded.
To protect against stealers, experts recommend:
- Verifying the extensions of received files.
- Avoiding downloading applications via links from messages sent by unknown numbers, even if the senders claim to be bank employees.
- When downloading from Google Play, checking the accuracy of the application name through official sources.
- Not downloading or installing applications that request suspicious permissions.
Following these recommendations will help users significantly reduce the risk of infecting their devices with malware and safeguard their data from cybercriminals.
