# An explosion of dangerous campaigns targeting Android users. The risk of losing personal data looms.

## **Overview**

Recently, a large-scale attack campaign has targeted Android users worldwide. Among them, **Qwizzserial** has emerged as a professional Android malware variant, specializing in stealing SMS, first discovered by Group‑IB in mid-2024. It then spread widely in Uzbekistan, disguised as legitimate apps like “Moliyaviy Yordam” (Financial Support) or “Presidential Support.”

According to recorded reports, over **100,000 devices** have been infected, mostly in Uzbekistan. This campaign has brought the criminal group at least **$62,000 USD** in just three months (March–June 2025).

![Android Malware, Qwizzserial](https://securityonline.info/wp-content/uploads/2025/07/seril-1024x683.png align="center")

## **Method of Spread**

The malware `“Qwizzserial“` is primarily spread through Telegram channels. Here, hackers trick users into installing fake `APK` files disguised as: **“Are these your photos?”, “Presidential Support”**, or other legitimate apps and services.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752252091934/0c2a1e3a-ccd6-45bf-9ea9-85a5c6b553a4.png align="center")

The attackers created **Telegram channels impersonating government organizations**, uploading fake statements and financial aid announcements to gain the victims' trust.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752252490317/9b6c12dd-7443-4802-948d-68c01ae08b87.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752252551995/2191896f-6fbb-4798-be3f-61780a0fcbec.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752252573648/4e98ff4a-cff8-4e55-a3a8-094580d94f44.png align="center")

## **Impact Level**

During the monitoring process, the cybersecurity team observed that the criminal groups seized over $62,000 USD within three months from mid-March to mid-June 2025, based on information shared in the Telegram channel.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752288804897/1d6114cb-d0bb-420c-bc9d-8a9cbb67a6c6.png align="center")

In addition, from 2024 to 2025, over **100,000 Android devices** were affected with more than **1,200 variants** of the **Qwizzserial** malware.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752289712398/1fa0efd7-59b2-45ff-801b-059992d5ece0.png align="center")

## **Campaign Details**

Initially, after hackers managed to distribute malicious variants through Telegram, a `.apk` file written in Kotlin would be executed: `MoliyaviyYordam.apk`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752291110085/e1539e61-464d-4ad9-b602-c96e04f098ea.png align="center")

This malicious file will request the following permissions related to phone calls and SMS messages, in addition to listing some **dangerous permissions** on the Android operating system.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752291291486/42d8c12d-a771-45b8-bb54-4acaca40611a.png align="center")

The malware will continuously prompt users to grant permissions and then enter their phone number and bank card information.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752292915174/950cdfe9-c883-4cc7-ae0a-bb513b066790.png align="center")

When the victim submits the data, the malware immediately sends it through the Telegram Bot API. At the same time, the screen changes to display a phishing notification.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752295586414/26433cea-8384-4001-9a8d-7227e5dca5f1.png align="center")

In the malware, there is a piece of code written in JavaScript to **hide the behavior of extracting user data (like SMS)** and **write data to a ZIP file** to send it out.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752296388823/72c6eb17-fc7a-45d7-acc7-1ffa16e7b4ee.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752296558232/f6e25217-b557-4ec6-a204-5765b7e35b93.png align="center")

In addition to collecting initial data, **Qwizzserial** can block all new incoming messages and perform other functions such as:

* Regex for checking account balance
    
* Integration with Telegram bot
    
* Reading SMS messages (like those from banks)
    
* Bank card information
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752296902030/16beef0f-382b-42a9-bb96-06e7bdffe3dd.png align="center")

Next, the attacker will use another piece of malware called `file.bin`. Although it **does not directly steal information** like the previous SMS reading segments, it:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752298176174/4727e7d3-f4b2-4f1c-87ff-2f890343f08b.png align="center")

* Suggests that the app **pretends to be a legitimate app**, with a user interface.
    
* Leads users to a **malicious website**, which could be:
    
    * A page that asks for Google/Bank account login → stealing information.
        
    * Downloading more malicious APKs from there.
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752297337408/d52ca469-8f9e-4702-875f-f60cea830bc8.png align="center")

And all the information and data are sent to the **C2 (command & control)** server through an encrypted protocol, allowing the attacker to:

* Log into the real account
    
* Perform fraudulent transactions **almost in real-time** because the OTP code is obtained immediately afterward
    

## **Conclusion**

The **Qwizzserial** campaign represents a **new advancement in mobile cybercrime**, shifting from phishing to mobile malware with a professional organization. Although it is currently focused in Uzbekistan, the operational model could expand to other countries using SMS as OTP. This is a **wake-up call for all stakeholders** to upgrade authentication and mobile security mechanisms for the majority of users.

## **Recommendations**

1. **Do not install APKs from sources outside Google Play**
    

* **Absolutely do not install apps** from Telegram links, SMS, or unofficial websites.
    
* Enable the option **"Only allow installation from Google Play"** in system settings.
    

2. **Do not grant SMS reading or Accessibility Service permissions unless necessary**
    

* If an app requests permissions like `READ_SMS`, `RECEIVE_SMS`, `ACCESSIBILITY_SERVICE`, etc., check its legitimacy.
    

3. **Be cautious of "social support" content spreading on Telegram**
    

* Fake channels often use: national emblems, government organization names, or "President" names to appear trustworthy.
    

4. **Check for strange app icons that might be hidden**
    

* Some Qwizzserial variants automatically **hide icons** from the home screen → check in **“Settings &gt; Apps”** if something seems off.
    

5. **Do not use authentication based solely on SMS OTP**
    

* Switch to:
    
    * **Multi-factor authentication (MFA) based on push notifications**
        
    * **Biometric authentication** (fingerprint, face)
        
    * **3D Secure v2** for online payments
        

## **IOC**

1. **Domain C2**
    

* president-support\[.\]com
    
* support-pul\[.\]com
    
* support-uz\[.\]com
    
* support-uzb\[.\]xyz
    
* president-uzb\[.\]xyz
    
* support-uzbekistan\[.\]xyz
    
* sms-tracker-uz\[.\]xyz
    
* trust-mobilebank\[.\]xyz
    
* k-uzb-bank\[.\]xyz
    
* pension-support\[.\]xyz
    

2. **SHA-256**
    

* 23d4e3f9b1d95c0e2a8a19de2c8d20f3b8c66e4ef83032f11b4fd09b55b4a4ff
    
* 95a2de11e3d30e9e9f131c391929a87058ef0a6166e9476371035f709e42a3c7
    
* db206bfb9293e621c9d6a36077bb275299dd39f5934767a9d28b1f7e38b44f0e
    

## **Reference**

1. [Qwizzserial: Telegram-Driven Android SMS Stealer Infects 100,000 Devices](https://securityonline.info/qwizzserial-telegram-driven-android-sms-stealer-infects-100000-devices/)
    
2. [June's Dark Gift: The Rise of Qwizzserial | Group-IB Blog](https://www.group-ib.com/blog/rise-of-qwizzserial/)
