New Pheno Plugin Turns Microsoft Phone Link into a Stealthy SMS and OTP Thief

Overview

A newly discovered variant of the CloudZ remote access trojan (RAT) is leveraging an innovative plugin named Pheno to hijack the trusted Microsoft Phone Link service. This attack enables cybercriminals to intercept SMS messages and one-time passwords (OTPs) from compromised mobile devices, posing a significant threat to two-factor authentication (2FA) security.

How the Attack Works

The malware operates in a multi‑stage fashion, combining the established capabilities of CloudZ with the novel Phone Link abuse. The process typically unfolds as follows:

• Initial compromise: The victim is infected with the CloudZ RAT through a phishing email, malicious download, or exploit kit. The RAT establishes persistence and opens a backdoor to the attacker’s command‑and‑control (C2) server.
• Pheno plugin delivery: Once inside the system, CloudZ fetches and executes the Pheno plugin. This plugin is specifically designed to interact with the Microsoft Phone Link application (formerly known as Your Phone).
• Phone Link hijack: Pheno exploits the legitimate synchronization between the victim’s PC and their Android or iOS smartphone. By injecting code into the Phone Link process, the plugin can intercept SMS messages, including the OTPs sent by banks, email providers, and other services.
• Exfiltration: The stolen codes are relayed back to the attacker via the C2 channel, allowing them to bypass 2FA and gain unauthorized access to sensitive accounts.

Technical Details of the Hijack

The Pheno plugin does not require elevated privileges beyond what the Phone Link app already possesses. It hooks into the shared memory buffer used by Phone Link to synchronize messages between devices. By monitoring this buffer in real time, Pheno can capture each incoming SMS before the user even reads it. The plugin also maintains a local cache to avoid duplicate exfiltration and to evade detection by signature‑based antivirus tools.

The Critical Role of Microsoft Phone Link

Microsoft Phone Link is a legitimate utility that enables users to read SMS, make calls, and manage notifications from their PC. While convenient, its deep integration with the operating system makes it an attractive target for malware. The attack exploits the trust that security software places in Phone Link’s activities, as the app is often whitelisted by default. Furthermore, because Phone Link already has permission to access SMS content, Pheno can operate without triggering additional permission prompts on the mobile device.

Previous Cases and Similar Techniques

This is not the first time malware has targeted the Phone Link ecosystem. Past campaigns have used trojanized versions of Phone Link or exploited its notification mirroring to phish users. However, the CloudZ/Pheno combination marks the first instance of a plugin directly hijacking the message‑synchronization protocol to steal OTPs in bulk.

Impact and Implications

The theft of OTPs undermines one of the most popular 2FA methods. Even if a user has enabled two‑factor authentication, an attacker armed with a valid OTP can log in as long as they also have the victim’s password. This makes the attack particularly dangerous for:

• Banking and financial services – where OTPs are used for transactions and account recovery.
• Email accounts – because email often serves as a password reset hub for other services.
• Corporate VPNs and remote desktop solutions – many of which rely on SMS‑based authentication.

Additionally, because the attack works silently in the background, victims may not realize their OTPs are being stolen until they see unauthorized logins on their accounts.

Mitigation Strategies

To defend against this and similar threats, users and organizations should adopt a layered security approach:

1. Use app‑based authenticators – replace SMS‑based 2FA with authenticator apps (e.g., Microsoft Authenticator, Google Authenticator) or hardware tokens. These generate codes offline and are not accessible via Phone Link.
2. Monitor Phone Link permissions – regularly review which applications have access to SMS data on the mobile device. Revoke access for any suspicious apps or unused connections.
3. Deploy endpoint detection and response (EDR) – modern EDR tools can detect anomalous behavior such as code injection into trusted processes like Phone Link.
4. Keep software updated – ensure Microsoft Phone Link and the operating system are patched against known vulnerabilities that malware could exploit.
5. Educate users about phishing – since CloudZ often arrives via email, training users to spot phishing attempts can prevent the initial infection.

Conclusion

The emergence of the Pheno plugin demonstrates how cybercriminals continuously evolve their techniques to bypass security measures. By abusing a trusted, built‑in application like Microsoft Phone Link, CloudZ can silently siphon OTPs and defeat 2FA. As remote access and mobile‑to‑PC integration grow, users must remain vigilant and adopt stronger authentication methods to protect their digital identities.