Android security: This fake message about a missed delivery leads to data-stealing malware

FakeSpy malware spreads via SMS phishing, using each infected victim to further distribute itself - and researchers say the cyber-criminal operation behind it is finding a lot of success.
Written by Danny Palmer, Senior Writer

A potent form of Android malware that can steal bank details, personal information, private communications and more has returned with a new campaign that spreads itself via SMS phishing attacks.

FakeSpy malware has been active since 2017, initially targeting users in Japan and South Korea, but now it's targeting Android users around the world – with tailored attacks designed to lure users across Asia, Europe and North America.

The latest FakeSpy campaign has been detailed by cybersecurity researchers at Cybereason, who say the attacks are linked to 'Roaming Mantis', a Chinese-speaking cyber-criminal operation that has operated similar campaigns.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

FakeSpy is described as under "active development" and "evolving rapidly" with a new version of the malware released each week, complete with new capabilities and evasion techniques.

The malware serves as an information stealer, used to steal SMS messages, financial information, application and account information, read contact lists and more.

The latest campaign is widespread, targeting users in China, Taiwan, France, Switzerland, Germany, UK, US and others but the method of installation for each country is a phishing message claiming to relate to a missed package from a local postal or delivery service.

A phishing link in the text message directs users to a fake website that tells them to download an app masquerading as the local postal service. For example, UK users are instructed to download a specially designed fake version of the Royal Mail app, while targets in the US are led to a site to download a fake US Postal Service app.

Germany's Deutsche Post, France's La Poste, Japan Post, Swiss Post and Taiwan's Chughwa Post brands are also being faked by the crooks.

The fake applications are built using WebView and designed to look like the real thing. After the application is downloaded – which requires the user to allow installation from unknown sources - the fake page will redirect to the legitimate website in an effort to help stop the victim being suspicious about what they've just downloaded

The malware also asks for a number of permissions it requires to operate – but given so many legitimate applications ask for extensive use of the device anyway, the victim is unlikely to give it a second thought.

Once installed, FakeSpy can monitor the device to steal various forms of information, including name, phone number, contacts, bank and cryptocurrency wallet details, as well as monitoring text messages and app usage.

FakeSpy also exploits the infection to spread itself, sending the postal-themed phishing message to all victim's contacts, indicating this isn't a targeted campaign, a financially driven cyber-criminal operation looking to spread as far and wide as possible with the aim of making as much money as possible from stolen bank information and other personal credentials.

"We are under the impression that this attack is what we often refer to as "spray and pray." I don't believe they are aimed at a particular individual, but instead the threat actors try their luck, casting a rather wide net, and waiting for someone to take a bite," Assaf Dahan, senior director and head of threat research at Cybereason, told ZDNet.

"We see new developments and features added to the code all the time, so my guess is that business is good for them," he added.

SEE: Hacker ransoms 23k MongoDB databases and threatens to contact GDPR authorities

FakeSpy has been active for the past three years and continues to pose a threat to Android users as it evolves and changes.

However, despite the powerful nature of the malware, users can avoid falling victim to it by being extremely cautious about unexpected messages, especially those claiming to be from organisations asking the user to click on a link or download something – as it's likely to be a phishing attack.

"Users should apply critical thinking and be suspicious of SMS messages containing links. If they do click on a link, they need to check the authenticity of the webpage, look for typos or wrong website name, and most of all – avoid downloading apps from unofficial stores," said Dahan.

"Deleting the fake application through the application manager is a good way to mitigate this threat. In addition, having a mobile security solution can detect and remediate the threat," he added.


Editorial standards