MammothFraud, an eastern SMS stealer
The malware, dubbed MammothFraud from one of the logging strings МАМОНТИЗАЦИЯ! checks for the android.permission.CALL_PHONE permission and also that the SDK is greater than 26. If positive, it will attempt to introduce an USSD code to obtain the mobile phone number. For example, *111*0887# for the MTS RU provider. When the permissions are not granted by the user, it will prompt the user with a message to allow the requested permissions. In the list there are other telecom providers from Uzbekistan, Ukraine and Russia with USSD codes present. A list of the permissions requested: android.permission.CALL_PHONE android.permission.READ_SMS android.permission.READ_PHONE_STATE android.permission.SEND_SMS android.permission.RECEIVE_SMS android.permission.POST_NOTIFICATIONS In case there are active SIM cards in the device, the sample registers broadcast receivers for handling specific SMS-related events and for shutdown events. It also verifies whether the following applications are insta