Report on Smishing-Based Mobile Security Threats
1. Overview
Smartphones have become an essential tool in modern society and are at the center of everyday life. However, this has led to a continuous increase in malicious mobile crimes. Among them, smishing has become a major means of executing various crimes, including personal information theft, credential abuse, and sextortion, by distributing phishing pages and URLs for downloading malicious apps through text messages.
This report addresses the seriousness of mobile security threats through cases of smishing that occurred on the Android platform by 2024. The report also analyzes the main types of smishing investigated by the Mobile Analysis Team, their distribution methods utilizing social engineering techniques, and the crimes that occur after the malicious apps are installed.
2. Smishing Messages
Table 1 shows the major cases of smishing messages collected in 2024 after classification. Smishing messages often impersonate public institutions and governments known to the general public and also pretend to be acquaintances reaching out for celebrations, condolences, or present themselves as chance encounters.
|
Types of Impersonation |
Description |
Phishing Website |
Malicious App |
|
Korea Post |
Exfiltrates personal information through fake postal service pages posing as undelivered and international deliveries |
O |
X |
|
Telegram |
Exfiltrates accounts through fake login pages posing as Telegram policy violations and login errors |
O |
X |
|
Cryptocurrency exchange |
Induces victims to transfer cash through fake coin exchanges in relation to coin burning |
O |
X |
|
Health insurance |
Induces victims to install malicious apps posing as health insurance |
O |
O |
|
Government |
Induces victims to install malicious apps on the grounds of civil complaints and traffic violations |
O |
O |
|
Obituary |
Induces victims to install malicious apps by disguising as an acquaintance’s obituary |
O |
O |
|
Mobile wedding invitation |
Induces victims to install malicious apps by disguising as an acquaintance’s wedding |
O |
O |
|
Chance encounter |
Poses as a chance encounter to induce investment fraud or the installation of malicious apps |
O |
O |
|
Sexual meetup |
Poses as a sexual meetup to induce the installation of malicious apps |
O |
O |
Table 1. Smishing types collected in 2024
The smishing messages currently being distributed are shown in Figure 1, and they include messages and URLs to lure in users. When a URL is clicked, it displays a phishing site that matches the impersonated message, making it difficult for victims to suspect it is a scam.
Figure 1. Smishing messages
Next, this report will introduce the means used by smishing messages to deceive victims and induce access to phishing sites, the characteristics of malicious smishing URLs, and how the threat actor verifies victims within the smishing context.
2.1. Means of Luring Victims
This section explains how smishing messages deceive victims and induce them to click on malicious URLs.
2.1.1. Impersonating Public Institution Services
Impersonating commonly known public institutions reduces the suspicion in users. Civil complaints, insurance services, and post offices are typical examples. Since the general public is required to comply in the case of civil complaints and insurance services, they are used to conceal suspicious means such as the installation of malicious apps. Therefore, they are mainly used in various technical crimes such as account theft through malicious apps, victim monitoring, and redistribution of smishing messages, rather than just simple personal information theft (see Figure 2).
Figure 2. Phishing sites within smishing messages impersonating public institution services
2.1.2. Posing as Family Events
These smishing messages target middle-aged and older adults who are less sensitive to security, including details about family events they consider important. The messages may include specific names of acquaintances or family members, aiming to prompt urgent clicks to conceal suspicious means. This also, like public institution service impersonation, is used as a means to install malicious apps (see Figure 3).
Figure 3. Phishing sites within smishing messages impersonating family events
2.1.3. Financial Gain
Primarily targeting young people, it encourages clicks under the pretext of coin and stock investments. With these investment-related scams, personnel impersonating related customer service staff and participants (also known as decoys) are deployed, and social media and corporate consultation platforms are actively utilized (see Figure 4).
Figure 4. Coin fee scam using coin burning
As victims are more cautious when only messages are distributed victims, recently, the strategy changed to build rapport through messenger apps using chance encounters through mistakes or “likes” on posts distributed by threat actors on social media as an opportunity, as shown in Figure 5.
Figure 5. Investment scams building rapport under the pretext of wrongly sent messages or “likes” on social media
Afterwards, the threat actor, claiming it is “information only we know”, invites the victim to install a web app of a stock and coin chart manipulation site or to a scam investment room, introducing it as a promising stock, and makes the victim transfer money (see Figure 6).
Figure 6. Soliciting investment on specific stock through chat
2.1.4. Sexual Meetup
‘2.1.3. Like “Financial Gain”, the method of proposing a sexual meetup through messages and social media is being used, as shown in Figure 7. They induce the installation of malicious apps in the process of exchanging obscene conversations through messenger apps with the victim.
Figure 7. Posing as sexual meetups using messages and social media
2.1.5. Others
Some smishing messages impersonate platforms or warnings about social media account suspension to steal victims’ accounts. The main target platform account is Telegram, used for its high security, which provides confidentiality in conversations and channels, and various conveniences like file sharing without time limits. When victims receive smishing messages under the pretext of re-login requests or policy violations, those with more sensitive content on Telegram are more likely to quickly enter the verification code. When the verification code is sent to the C2 server, the threat actor automatically accesses the Telegram account, disconnects the linked login devices, and makes it impossible to use Telegram (see Figures 8 and 9).
Figure 8. Smishing message with a Telegram phishing page
Figure 9. Comparison of the official Telegram site (left) and the phishing site (right)
