06.05.2026
3 min
175
A new Android Trojan, CloudZ, has learned to abuse Microsoft Phone Link features to access SMS and one-time codes without the user’s knowledge, opening a way for attackers to bypass two-factor authentication.
A recently updated version of the Remote Access Tool (RAT) known as CloudZ has introduced a brand-new malicious component called Pheno that captures Microsoft Phone Link communications in order to capture sensitive code from users’ mobile phones.
The discovery of the Malware occurred while investigating an intruder who had been active since January. Researchers speculate that the ultimate goal of the attacker was to obtain user credentials and temporary passwords.
Phone Link is pre-installed on all versions of Windows 10 and 11; it provides you with the capability to manage your mobile device(s), (Android and iOS) through your PC for making/receiving calls, responding to text messages, viewing notification received on your mobile device.
In theory, if an attacker had established communication with your mobile device via Phone Link, they would have the ability to intercept sensitive messages being sent to your mobile phone without having compromised the mobile device.
According to Cisco Talos Research Team, Pheno tracks the current Phone Link Sessions on the victim’s machine and has access to the victim’s local SQLite database that contains SMS and OTPs.
Therefore, the attacker now has full access to the sensitive information contained within the SQLite Database, without needing to compromise the mobile device.
“An attacker utilizing CloudZ RAT with confirmed Phone Link Activity on Victim’s Machine can potentially intercept Phone Link Application’s SQLite Database File on Victim’s Computer, thus compromising access to SMS Messages containing One-Time Passwords and other Authentication Application Notifications” according to Cisco Talos Reports.
In addition to the capabilities provided by the Pheno plugin, CloudZ can transmit data stored in web browsers, create profiles of host systems, and execute commands to:
File management operations (delete, download, and write)
Execute shell commands
Start screen recording
Manage plugins (download, remove, save to disk)
Terminate RAT processes
Cisco reported that CloudZ uses three pre-set (hardcoded) User-Agent Strings to disguise each of its HTTP requests so they appear to originate from a valid Web Browser.
CloudZ adds an Anti-Cache Header to every HTTP Request it makes in order to ensure that Proxies/CDNs do not cache any information associated with the C2 communications (or subsequent intermediary server communication).
Although the Researchers could not determine how the attackers initially gained access into their system, once the Victim executed a false ScreenConnect update the resulting executable dropped a Rust based Bootloader which would subsequently deploy a .Net Bootloader that would install the CloudZ Remote Access Trojan (RAT), establish persistence through a Scheduled Task and perform several Analysis Checks including:
Time-based Sandbox Escape Steps
Checks for Analysis Tools (Wireshark, Fiddler, ProcMon, SysMon)
Checks for Virtual Machine/Sandbox related Strings
To protect against such attacks, users should avoid SMS-based OTP services and use authentication apps that do not require push notifications, which can be intercepted. For more sensitive information, it is recommended to switch to phishing-resistant solutions such as hardware keys.
Cisco Talos has published a set of indicators of compromise, including URLs, hashes of malicious components, domains, and IP addresses, that security experts can use to protect their environments.
