A new and alarming Android malware family, dubbed Qwizzserial, has emerged as a significant threat, particularly targeting users in Uzbekistan.
Discovered by Group-IB in March 2024, this SMS stealer is designed to intercept two-factor authentication (2FA) codes and steal sensitive banking information, posing a severe risk to personal and financial security.
Disguised as legitimate applications such as financial assistance tools or banking apps, Qwizzserial lures unsuspecting users into installing malicious APKs, often through deceptive messages and channels on Telegram.
With an estimated 100,000 infections across approximately 1,200 samples, the malware’s reach is extensive, and its daily emergence rate continues to climb, as reported by Group-IB’s telemetry data.
The operational tactics of Qwizzserial are deeply rooted in social engineering and technical sophistication. Threat actors distribute the malware via Telegram, using enticing file names like “Are these your photos?” or mimicking government services to provoke curiosity or urgency.
Fraudsters enhance their credibility by creating fake Telegram channels posing as official entities, such as “Moliyaviy Yordam” (Financial Assistance), and even publish falsified presidential decrees to amplify their scams.
Once installed, the malware, often written in Kotlin, requests permissions for phone calls and SMS access, repeatedly prompting users until granted.
It then exfiltrates critical data, including bank card details, phone numbers, and SMS messages, using Telegram bots or gate servers like hxxp://llkjllj[.]top for data transmission.
Advanced variants employ obfuscation tools like NP Manager and Allatori Demo, and some even request battery optimization disablement for persistent background operation, showcasing an evolution in persistence mechanisms.
The impact of Qwizzserial is staggering, with a single group reportedly reaping around US$62,000 between mid-March and mid-June 2025, as per data shared on their Telegram “Profits” channel.
The malware follows a Pareto distribution pattern, where roughly 25% of samples account for 80% of infections, with those masquerading as financial institutions achieving the highest distribution rates.
Beyond initial data theft, Qwizzserial intercepts incoming SMS messages using broadcast receivers, targeting banking notifications and large transactions over 500,000 UZS (approximately US$38-39).
This persistent threat exploits the local banking sector’s reliance on SMS authentication, making it particularly effective in Uzbekistan.
Group-IB has developed detection methods within its Fraud Protection system to identify both known Qwizzserial samples and new SMS stealers through behavior-based rules, offering proactive defense against such evolving threats.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
Hot this week
GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.
Company
Trending
Categories
Copyright @ 2016 – 2025 GBHackers On Security – All Rights Reserved

source