A sophisticated Android malware campaign targeting banking credentials and two-factor authentication codes has emerged as a significant threat to users across Central Asia, particularly in Uzbekistan.
The malware, dubbed Qwizzserial, represents a dangerous evolution in mobile banking fraud, exploiting the region’s heavy reliance on SMS-based authentication systems for financial transactions.
Initially discovered in mid-2024, Qwizzserial remained relatively dormant before experiencing explosive growth in distribution and impact.
The malware operates by masquerading as legitimate applications, using deceptive names such as “Presidential Support,” “Financial Assistance,” and even mimicking established banking applications to lure unsuspecting victims into installation.
Group-IB analysts identified the malware during their investigation into related Android threats, noting its sophisticated distribution network that mirrors the well-documented Classiscam fraud infrastructure.
The campaign has infected approximately 100,000 users, with documented financial losses exceeding $62,000 within just three months of active operation.
The malware’s primary distribution vector is Telegram, where threat actors create convincing channels posing as government entities offering financial assistance programs.
The scale and sophistication of the operation suggests a well-organized criminal enterprise with defined roles including administrators, workers, malware developers, and specialized “vbivers” who verify stolen card details for fraudulent withdrawals.
.webp)
This structured approach has enabled the rapid scaling of infections across the target region, with new malware samples emerging at an increasingly frequent rate.
Technical Analysis of Infection Mechanism
Qwizzserial’s infection mechanism demonstrates careful engineering designed to maximize data theft while maintaining persistence on victim devices.
Upon installation, the malware immediately requests critical permissions essential to its operation:-
android.permission.READ_PHONE_STATE
android.permission.CALL_PHONE
android.permission.RECEIVE_SMS
android.permission.READ_SMSThe application employs persistent permission requests, continuously prompting users until access is granted.
Once permissions are secured, victims are presented with a convincing interface requesting two phone numbers and complete banking card details including expiration dates.
%20and%20translations%20in%20English%20(right),%20requesting%20for%20users%20to%20provide%20their%20personal%20and%20financial%20information%20(Source%20-%20Group-IB).webp){kind=spacer}
The malware’s data collection capabilities extend beyond initial user input. It systematically harvests existing SMS messages, packaging them into ZIP archives containing separate files for inbox, sent, and miscellaneous messages.
A sophisticated regex pattern identifies balance-related communications: new Regex("\\b(Balance|Balans|Summu|Summa|Summ|Dostupno|Izmenen|Vklad|Amount|Availab"), enabling targeted financial intelligence gathering.
Recent variants have evolved to include obfuscation techniques using NP Manager and Allatori Demo, while implementing improved persistence mechanisms that disable battery optimization restrictions.
The malware now utilizes HTTP POST requests to gate servers rather than direct Telegram API communication, demonstrating continuous development and refinement of its operational security measures.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Autonomous Endpoint Management Tools in 2025")
