Android SMS Stealer Infects 100,000 Devices in Uzbekistan

A new Android malware campaign distributing a previously unidentified SMS stealer has infected nearly 100,000 devices, primarily in Uzbekistan.

The malware, dubbed Qwizzserial, was identified by Group-IB researchers during a broader investigation into cybercriminal activities linked to the Ajina malware family.

Telegram-Fueled Distribution and a Familiar Structure

The Qwizzserial malware is being spread via Telegram, where cybercriminals pose as government agencies offering financial aid. Fraudsters disguise malicious apps using titles such as “Presidential Support” or “Financial Assistance,” tricking users into sideloading malware-laden APKs.

These Telegram channels often publish fake government decrees to gain credibility.

The campaign mimics the Classiscam fraud model, but instead of phishing links, it uses Telegram bots to generate APK stealers. These bots also manage team coordination channels, onboarding for new participants, and a “Profit Channel” showcasing earnings.

A single group behind the scheme made at least $62,000 between March and June 2025.

Read more on Telegram-based cybercrime tactics: Fraudsters Exploit Telegram’s Popularity For Toncoin Scam

Qwizzserial Capabilities and Evolution

Qwizzserial targets SMS-based authentication, a widely used method in Uzbek payment systems. Once installed, the app requests access to phone state and SMS permissions, then harvests sensitive data such as:

• Phone numbers and a bank card number with expiration date

• SMS inbox, sent and other messages, archived as ZIP files

• Details of installed Uzbek banking apps

• SIM card info, including MCC/MNC codes and carrier name

The malware also scans messages for banking terms and large sums over 500,000 UZS (about $38). Exfiltration occurs through Telegram bots or, in newer variants, via a gate server using HTTP POST requests.

Recent versions show added persistence, such as requests to disable battery optimization, and no longer ask for bank card data directly. Instead, attackers may now rely on compromised credentials to access banking apps.

A Growing Threat

According to Group-IB, Qwizzserial’s impact is amplified by Uzbekistan’s reliance on SMS as the only authentication layer in digital payments. The lack of stronger protections, such as biometrics or 3D Secure, allows threat actors to exploit this single point of failure effectively.

“This campaign shows how Classiscam-style operations are evolving,” the company said.

“Threat actors are constantly adjusting their tactics to keep up with changes in user habits, security measures and platform policies. Instead of using phishing links, they now spread malicious APK files through Telegram – making the process more efficient, harder to trace and easier for new cybercriminals to join in.”

To mitigate risk, Group-IB advises users to avoid installing apps from unofficial sources and carefully review app permissions. Businesses are advised to monitor user sessions, launch awareness campaigns and adopt behavior-based detection systems.