Hackers have recently leveraged a vulnerability in the web-based management interfaces of certain cellular routers to co-opt their built-in SMS functionality for nefarious purposes.

By targeting exposed APIs, attackers are able to dispatch large volumes of malicious SMS messages containing weaponized links that lead to drive-by downloads or credential-stealing pages.

This emerging threat vector exploits otherwise legitimate network equipment, transforming routers into unwitting proxies for mass phishing campaigns and malware distribution.

Victims receive SMS texts purporting to be security alerts or delivery notifications, but clicking the embedded URL triggers silent exploitation of device vulnerabilities or launches social-engineering traps.

Throughout August and September 2025, multiple security operations centers noted unusual spikes in SMS traffic originating from residential and enterprise routers rather than cellular networks.

Sekoia researchers identified that threat actors were systematically scanning for endpoints exposing vendor APIs—particularly on models using TR-064 or custom HTTP-based SMS interfaces.

Once discovered, these interfaces permit unauthenticated or weakly authenticated commands to send arbitrary SMS messages via the SIM card installed in the router.

Although the impacted routers vary by manufacturer, commonalities include default credentials left unchanged and outdated firmware lacking API rate-limiting or input validation.

The rapid proliferation of this technique highlights a critical blind spot: network administrators rarely monitor SMS logs on routers as rigorously as they do network traffic or firewall events.

As a result, large-scale campaigns have gone unnoticed for weeks, allowing attackers to refine their messaging templates and evade detection.

Initial lure messages masquerade as two-factor authentication requests or urgent account recovery notifications, exploiting user trust in SMS channels. Subsequent campaigns pivot to more targeted bait based on harvested data, increasing click-through rates and downstream compromise.

Beyond the immediate risk of credential theft, successful exploitation can deliver secondary payloads that pivot into local networks.

Once a victim clicks the weaponized link, a drive-by exploit chain may deploy a backdoor to the user’s device, granting attackers persistent access.

In corporate environments, this intrusion can facilitate lateral movement, data exfiltration, or enrollment of additional devices into the SMS-spam network—amplifying both reconnaissance and monetization opportunities for the threat actors behind these operations.

Infection Mechanism

At the core of this campaign lies the abuse of the router’s SMS API endpoint. Attackers first brute-force or enumerate default administrative credentials to gain shell-level or web-server access.

With valid access, they issue HTTP requests that mimic legitimate SMS-sending commands. The simplest form of this interaction can be illustrated with a curl snippet:-

curl - X POST http://192.168.1.1/api/sms/send \
  - H "Content-Type: application/json" \
  - d '{
        "username":"admin",
        "password":"admin123",
        "destination":"+15551234567",
        "message":"Your account requires immediate verification: http://bit.ly/verify-now"
      }'

In many affected devices, the API fails to enforce strong input sanitization, allowing attackers to inject HTML or JavaScript into the message payload.

This enables more sophisticated attacks, such as weaponized links that automatically execute on click without browser warnings.

Furthermore, the SMS API often exposes status codes and delivery reports, providing feedback that attackers use to measure campaign success and optimize targeting.

To automate these operations at scale, threat actors have repurposed compromised routers into distributed SMS-spam bots.

Custom scripts cycle through recipient lists, randomize sender IDs, and rotate message templates. Some variants even integrate with public paste sites to dynamically update malicious URLs, evading static detection by URL-filtering solutions.

By understanding this infection mechanism, defenders can harden their environments: enforce strong administrative credentials, disable unused SMS interfaces, and apply firmware updates that incorporate proper authentication and rate-limiting controls.

These measures, combined with proactive SMS-traffic monitoring, can disrupt the rapid growth of this stealthy and impactful threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Exploit Cellular Router’s API to Send Malicious SMS Messages With Weaponized Links appeared first on Cyber Security News.

A new Android banking trojan has emerged that combines traditional overlay attacks with a stealthy hidden Virtual Network Computing (VNC) server to achieve full remote control of compromised devices.

First detected in late September 2025, the malware is distributed through SMS-based phishing campaigns that lure victims into installing a fake “security” app.

Once granted the necessary permissions, the trojan encrypts its payload, evading static detection, and initiates a background VNC server that remains invisible to the user’s launcher.

Cleafy analysts identified the malware after observing unusual network traffic from several European banks’ mobile users. Upon installation, the trojan immediately requests Accessibility and Device Administrator privileges under the guise of optimizing device performance.

These permissions allow it to intercept touch input, capture screen information, and silently render bogus overlays on legitimate banking applications.

At the same time, the VNC module initializes a hidden framebuffer, enabling threat actors to remotely view and manipulate the device in real time.

While overlay-based banking trojans have been around for years, this new strain’s integration of a headless VNC server represents a significant escalation.

Rather than relying solely on screen overlays, attackers can now navigate the device interface as if they were holding it in their hand—opening apps, entering one-time passwords, and installing additional payloads.

Early cases suggest that victims remain unaware of the remote session, as the trojan suppresses all visual indicators and logs user interactions to blend with legitimate activity.

Once entrenched, the trojan employs multiple persistence tactics. It registers a broadcast receiver for BOOT_COMPLETED to restart the VNC service on device reboot and hooks into the AccessibilityService to monitor screen state changes.

The malware also disables Google Play Protect by exploiting hidden system APIs, preventing updates or scans that might disrupt its operations.

These layers of defense ensure that the remote access remains active until manually removed—a task complicated by the trojan’s ability to hide its icon and camouflages itself under system-level names.

Infection Mechanism

The infection chain begins with a deceptive SMS message containing a download link to a trojanized APK named “BankGuard.apk.”

When the user installs this package, they are prompted to enable two critical permissions: AccessibilityService and Device Administrator.

The following snippet illustrates how the trojan invokes the Accessibility permission request:-

Intent intent = new Intent(Settings.ACTION_ACCESSIBILITY_SETTINGS);
context.startActivity(intent);

Once granted, the malware programmatically registers its AccessibilityService:-

<service android: name=".StealthAccessibilityService"
         android: permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
    <intent-filter>
        <action android:name="android.accessibilityservice.AccessibilityService" />
    </intent-filter>
    <meta-data
        android: name="android.accessibilityservice"
        android:resource="@xml/accessibilityservice_config" />
</service>

With these hooks in place, the trojan silently launches its VNC server:-

VNCServer vnc = new VNCServer(context);
vnc.startServer(5900);  // Standard VNC port

This headless server captures framebuffer data and listens for incoming remote control commands.

Attackers connect using off-the-shelf VNC clients, gaining unfettered interactive control over the victim’s device.

Through this mechanism, the trojan bypasses traditional overlay detection by avoiding UI injection altogether, relying instead on genuine touch emulation via remote commands.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Android Banking Trojan Uses Hidden VNC to Gain Complete Remote Control Over Device appeared first on Cyber Security News.