SMSFactory Trojan Is Driving Up Android Phone Bills With This Stealthy Tactic

smsfactory trojan driving android phone bills news
Last week, security researchers published a report showing that the rate at which trojans infect mobile devices has been accelerating over the past few quarters. Trojans are a form of malware disguised as applications that users might want to install. Victims of trojans effectively invite malware onto their devices without knowing it, by installing what they think are harmless apps. Many mobile trojans target financial applications in order to steal credentials, which bad actors can then use to siphon away victims’ funds. However, trojans can pilfer victims’ funds in other ways too.

Cybersecurity researchers at Avast have been tracking a trojan that leverages phone calls and SMS messages to perpetrate theft. The researchers have dubbed the trojan “SMSFactory,” which is one of the class names in the malware’s code. The Avast researchers have found the trojan disguised as apps offering access to game hacks, video streaming, and adult content. 

smsfactory trojan driving android phone bills demonstration news
SMSFactory app installation process (source: Avast)

The installation pages for these apps include instructions telling victims how to bypass Android’s Play Protect feature and install the apps. When victims first install the apps, the apps display rudimentary menus showing games, videos, and adult content that rarely work. These trojan apps lack icons and application names, and try hiding from victims by disappearing from the home screen, with the hope being that victims don’t notice the apps and forget about them.

The SMSFactory malware embedded in these apps begins by sending device identification and phone service information back to the threat actors behind this malware campaign. The threat actors then send back instructions, directing the malware to regularly send premium SMS messages or make phone calls to premium numbers. These messages and calls direct funds to the threat actors, adding extra charges to victims’ phone bills.

One of the trojan apps includes a terms and conditions section that attempts to explain the trojan’s behavior. This section reads, “PRIVATE APP: Seeing that is an adults only contents app, the app will appear on your desktop as a transparent icon so as to maintain your privacy in the event of other users using your Smartphone.SUBSCRIPTION As long as you have thea pp installed you will be subscribed to the app, so they will send SMS automatically so you can continue enjoying the content.

Beyond the gaming, video, and adult content apps found by Avast that include the SMSFactory trojan, ESET researchers have discovered two entire app stores that distribute the trojan. Both and claim to offer a large variety of popular apps, but instead install apps that exhibit the same behavior as the apps found by Avast and contain the SMSFactory trojan.