Qwizzserial: Large-scale Android fraud campaign recorded in Uzbekistan

A new wave of cyber attacks targeting users of Android devices has been recorded in Uzbekistan. The center of the threat was malicious software called Qwizzserial, a mobile Trojan that specializes in stealing one-time codes from SMS messages and data from financial applications. Technically advanced and targeted, this malware demonstrates a high level of automation and adaptability to the local market.

According to cybersecurity experts, Qwizzserial functions not as a separate piece of malicious code, but as a complex fraudulent ecosystem. Distribution is carried out through fake APKs-often under pretexts like "Are these your photos?" or "Presidential help". The mailing list is conducted mainly through Telegram channels, stylized as official pages of state institutions.

After installing and granting the necessary permissions — access to SMS, call log, and contact list — the malware gets full control over the user's sensitive data. In its functionality:

• Intercept and analyze incoming SMS messages, including two-factor authentication codes;
• Collecting information about your SIM card, installed software, network environment, and devices;
• Determining the availability of banking and payment applications;
• Transfer of all data to Telegram chats managed by intruders.

Later versions of Qwizzserial use code obfuscation (including through the NP Manager and Allatori tools), as well as hidden activity in the background — the malware continues to function even when the power-saving mode is active. Special attention should be paid to masquerading as harmless video players, which makes it difficult to detect threats from ordinary users.

According to reports from the attackers ' internal telegram chats, from March to June 2025, only one of the criminal groups working with Qwizzserial infected about 100,000 devices, spreading more than 1,200 unique variants of malware. The total damage, according to their own estimates, exceeded \$62,000. Approximately 25% of all malicious builds accounted for 80% of infections, which corresponds to the Pareto principle and indicates a highly efficient diffusion of" successful " malware versions.

A special feature of the local context is the high dependence on SMS codes in the identification system: bank transactions, government services, mobile payments-all tied to text messages. This makes users particularly vulnerable to attacks based on SMS interception.

Experts recommend digital hygiene:

• Never install APKs from messengers or unknown sources;
• Do not grant the app access to text messages and calls unless necessary;
• Use antivirus software and activate the built-in protection mechanisms against installing third-party software.

The Qwizzserial case demonstrates how classic fraud schemes-similar to the Classiscam model-adapt to mobile devices, reducing costs while increasing the scale of damage. In the context of digital transformation and the growing popularity of mobile payments, cyber threats are becoming more sophisticated, targeted and localized.