Overview

Recently, a large-scale attack campaign has targeted Android users worldwide. Among them, Qwizzserial has emerged as a professional Android malware variant, specializing in stealing SMS, first discovered by Group‑IB in mid-2024. It then spread widely in Uzbekistan, disguised as legitimate apps like “Moliyaviy Yordam” (Financial Support) or “Presidential Support.”

According to recorded reports, over 100,000 devices have been infected, mostly in Uzbekistan. This campaign has brought the criminal group at least $62,000 USD in just three months (March–June 2025).

Android Malware, Qwizzserial

Method of Spread

The malware “Qwizzserial“ is primarily spread through Telegram channels. Here, hackers trick users into installing fake APK files disguised as: “Are these your photos?”, “Presidential Support”, or other legitimate apps and services.

The attackers created Telegram channels impersonating government organizations, uploading fake statements and financial aid announcements to gain the victims' trust.

Impact Level

During the monitoring process, the cybersecurity team observed that the criminal groups seized over $62,000 USD within three months from mid-March to mid-June 2025, based on information shared in the Telegram channel.

In addition, from 2024 to 2025, over 100,000 Android devices were affected with more than 1,200 variants of the Qwizzserial malware.

Campaign Details

Initially, after hackers managed to distribute malicious variants through Telegram, a .apk file written in Kotlin would be executed: MoliyaviyYordam.apk.

This malicious file will request the following permissions related to phone calls and SMS messages, in addition to listing some dangerous permissions on the Android operating system.

The malware will continuously prompt users to grant permissions and then enter their phone number and bank card information.

When the victim submits the data, the malware immediately sends it through the Telegram Bot API. At the same time, the screen changes to display a phishing notification.

In the malware, there is a piece of code written in JavaScript to hide the behavior of extracting user data (like SMS) and write data to a ZIP file to send it out.

In addition to collecting initial data, Qwizzserial can block all new incoming messages and perform other functions such as:

Regex for checking account balance
Integration with Telegram bot
Reading SMS messages (like those from banks)
Bank card information

Next, the attacker will use another piece of malware called file.bin. Although it does not directly steal information like the previous SMS reading segments, it:

Suggests that the app pretends to be a legitimate app, with a user interface.
Leads users to a malicious website, which could be:
- A page that asks for Google/Bank account login → stealing information.
- Downloading more malicious APKs from there.

And all the information and data are sent to the C2 (command & control) server through an encrypted protocol, allowing the attacker to:

Log into the real account
Perform fraudulent transactions almost in real-time because the OTP code is obtained immediately afterward

Conclusion

The Qwizzserial campaign represents a new advancement in mobile cybercrime, shifting from phishing to mobile malware with a professional organization. Although it is currently focused in Uzbekistan, the operational model could expand to other countries using SMS as OTP. This is a wake-up call for all stakeholders to upgrade authentication and mobile security mechanisms for the majority of users.

Recommendations

Do not install APKs from sources outside Google Play

Absolutely do not install apps from Telegram links, SMS, or unofficial websites.
Enable the option "Only allow installation from Google Play" in system settings.

Do not grant SMS reading or Accessibility Service permissions unless necessary

If an app requests permissions like READ_SMS, RECEIVE_SMS, ACCESSIBILITY_SERVICE, etc., check its legitimacy.

Be cautious of "social support" content spreading on Telegram

Fake channels often use: national emblems, government organization names, or "President" names to appear trustworthy.

Check for strange app icons that might be hidden

Some Qwizzserial variants automatically hide icons from the home screen → check in “Settings > Apps” if something seems off.

Do not use authentication based solely on SMS OTP

Switch to:
- Multi-factor authentication (MFA) based on push notifications
- Biometric authentication (fingerprint, face)
- 3D Secure v2 for online payments

IOC

Domain C2

president-support[.]com
support-pul[.]com
support-uz[.]com
support-uzb[.]xyz
president-uzb[.]xyz
support-uzbekistan[.]xyz
sms-tracker-uz[.]xyz
trust-mobilebank[.]xyz
k-uzb-bank[.]xyz
pension-support[.]xyz

SHA-256

23d4e3f9b1d95c0e2a8a19de2c8d20f3b8c66e4ef83032f11b4fd09b55b4a4ff
95a2de11e3d30e9e9f131c391929a87058ef0a6166e9476371035f709e42a3c7
db206bfb9293e621c9d6a36077bb275299dd39f5934767a9d28b1f7e38b44f0e

An explosion of dangerous campaigns targeting Android users. The risk of losing personal data looms.