The SMISHING threat – unraveling the details of an attack


On January 26, a new smishing attack targeted users in the Czech Republic. Smishing, or SMS phishing, is a vector attackers use to send SMS messages from supposedly legitimate organizations.  These messages persuade users to download a malicious app, to provide private information like bank account or credit card details, or to click on a malicious URL.

In this campaign, the attackers masqueraded as Czech Post, the Czech postal service to get users to download a malicious app containing a full-scale Trojan horse. Once users click the link, they are led to a fake Czech Post web page with a seemingly legitimate address. From there the malware downloads and installs immediately on the mobile device. Since users need to approve the installation of apps from sources other than Google Play, the attackers use social engineering tactics convincing them to do so.


Some versions of the malware have the suspicious name “Flash Player 10 Update” with the icon of Czech
Post’s official app. Others are also named as an online version of the official app. Once the malware launches the icon disappears, but the actual malicious activity continues running in the background.


From this point on, each time the user tries to open any app a request for his credit card details and additional personal information appears. This data is sent to the attacker who uses it to steal money from the victim. The malware is also capable of intercepting incoming SMS messages, allowing an attacker to bypass two-factor authentication (2FA). This is a common activity seen by many banker malware in the past, such as the Marcher banker.


The malware communicates with its Command and Control server (C&C) which is capable of sending a wide variety of commands. The malware can send SMS messages to a user’s contacts or to a specific number which to help spread the malware. The malware can also lock the user’s device and display a ransom message to extort money from the user in return for his control of the device. Watch the demo video.


This attack is just one example of how dangerous smishing attacks can be. These attacks can be modified easily to deceive users or to impersonate legitimate organizations. Users should beware of suspicious SMS messages, only install apps from trusted sources, and implement advanced security solutions capable of detecting and blocking advanced threats like smishing attacks.



List of IoCs:

App name – Pošta Online

Package name – nkl.gewpfvqsnxehngqtzjlhrcqivqsqhw

Sha256 – 25e07c50707c77c8656088a9a7ff3fdd9552b5b8022d8c154f73dca1e631db4f

C&C server – i-app4[.]online/muchthenweresto