Qwizzserial: Telegram-Driven Android SMS Stealer Infects 100,000 Devices

A newly uncovered Android malware family named Qwizzserial is wreaking havoc across Uzbekistan, stealing sensitive financial data from thousands of mobile users by exploiting the country’s reliance on SMS-based two-factor authentication (2FA).

Discovered by Group-IB, Qwizzserial represents a new generation of Android malware campaigns where malicious APKs are generated and distributed via Telegram bots, allowing cybercriminals to launch highly scalable and localized attacks.

“This research uncovers the previously unknown family of Android SMS stealers… named Qwizzserial after the common Java package name for its main activity component,” the report states.

The campaign is hyper-targeted at Uzbek users, where SMS remains the backbone of online financial transactions. With limited adoption of biometric or 3D Secure technologies, most services—including P2P transfers, mobile payments, and app authorizations—still rely on SMS as the only security layer.

“The implication of the reliance of payment systems on SMS authentication means that fraudsters can intercept the SMS, and give them control over the victim’s finances,” the report warns.

The attackers exploit Telegram channels disguised as official government services, using deceptive APKs titled “Are these your photos?” or “Presidential Support” to trick victims into downloading malware under the guise of financial aid.

“Threat actors commonly disguise the malware under deceptive file names… often create Telegram Channels posing as official government entities,” the report explains.

Screenshots from these channels show fake presidential decrees and government assistance forms—content designed to build trust and trick citizens into downloading malware-laced apps.

This campaign mimics the Classiscam model, but instead of classic phishing links, it distributes fully weaponized APKs. Telegram bots automate the creation of these fake apps and manage group chats among threat actors—admins, “workers,” card verifiers (“vbivers”), and fraud trainers.

“Telegram bots play a central role… used to generate the malicious applications and to grant access to internal group chats.”

In just three months, from March to June 2025, a single Qwizzserial gang made over US$62,000, according to figures posted in their own “Profits” Telegram channels. The campaign has infected approximately 100,000 devices via more than 1,200 malware variants, many disguised as financial services apps.

Group-IB’s telemetry reveals a daily increase in new samples and notes a Pareto distribution in infection spread—25% of samples account for 80% of the infections.

Once installed and granted permissions, Qwizzserial:

1. Requests READ/RECEIVE SMS, CALL permissions, and repeats the prompt until granted.
2. Prompts users to enter bank card data and phone numbers.
3. Steals:
   • Full SMS history
   • Contact list
   • Installed financial apps
   • SIM card details
   • Device and network metadata
4. Uses regex to scan for SMS messages related to account balances or large sums.
5. Sends data via Telegram API to fraud team-specific chat rooms.
6. In latest versions, switches to exfiltration through an HTTP gate server before forwarding data to Telegram bots.

“All the data described above is exfiltrated using Telegram bots to four distinct chats, each designated for a specific message type.”

Later variants, like one masked as a “Video” app, are now obfuscated using NP Manager and Allatori Demo, with added persistence features like battery optimization disabling, allowing malware to stay active indefinitely.

“The recent samples also include unused Java packages NPStringFog and NPProtect, suggesting potential future use.”

These versions no longer directly ask for bank card info—instead, they rely on SMS-intercepted OTPs to access banking apps silently in the background.

Qwizzserial is a textbook case of how threat actors adapt existing cybercrime-as-a-service (CaaS) models, like Classiscam, for mobile malware deployment. Using Telegram bots for malware automation and localizing the attack for Uzbek victims, the campaign shows how low-cost tools and infrastructure can deliver high-impact financial fraud at scale.

Related Posts:

• Palo Alto Networks’ Unit 42 Reveals a New Cyber Threat in China: Financial Fraud APKs
• Secure Email Gateways Fail to Stop Advanced Phishing Campaign Targeting Multiple Industries
• 184 Million Leaked Credentials Found in Open Database
• Android App Bundles and Dynamic Delivery will customize application packages for different versions of Android