Cyble Research Labs discovered an Android-based phishing campaign targeting customers of telecommunication services based in Japan.

What happened?

According to the research, attackers created multiple domains to spread a fake copy of a telecommunication provider’s Android app.
  • The malware-laced fake app steals credentials and session cookies.
  • Researchers have discovered over 2,900 credentials/cookies for 797 Android and 2,141 for Apple mobile devices stolen during this campaign.
  • The app asks for a couple of permissions to allow the attacker to obtain information regarding network connections on the device.

How does the malware work?

When a malicious app is executed, it asks the users to connect to the cellular network and disable the Wi-Fi. The fake app opens up to the telecommunications payment service’s official webpage.
  • The log-in is a network PIN number given to the customer when the subscription is confirmed. If a subscriber is needed to validate their identity or change some settings, they use this PIN.
  • The app shows the official payments URL in WebView to lure the victims and hides malicious strings to block reverse engineering and detection.
  • After the information is stolen, it is sent to an attacker’s email using Simple Mail Transfer Protocol (SMTP).


Phishing via imitating an official app of any popular software is a common yet effective tactic. Moreover, the attackers behind the malicious Android apps are using multiple techniques to stay hidden from security solutions. Therefore, the recommended way to avoid such risks is to never download apps from unknown third-party stores and use the official app store only.

Cyware Publisher