FakeSpy Android Malware Targets Legitimate Postal snd Transportation Services

A new version of Android malware dubbed FakeSpy has been using new and significantly improved techniques to lure its victims as compared to previous versions. First identified in October 2017, FakeSpy's campaign is still live and under development.

Key findings

Recently, the Cybereason Nocturnus team reported an attack campaign targeting users all around the world, especially in countries like China, Taiwan, France, Switzerland, Germany, United Kingdom, United States, and others.
  • In this new campaign, FakeSpy malware was masquerading as legitimate government post office apps (like Chunghwa Post, The Royal Mail, US Postal Service, Deutsche Post, Japan Post, Swiss Post) and transportation services apps (like Yamato Transport) to gain the users' trust.
  • The FakeSpy malware was using smishing (SMS phishing) messages to lure the victims to click on a malicious link to infiltrate target devices. The link directed them to a fake website that prompted them to download and install the FakeSpy APK.
  • FakeSpy has multiple built-in information-stealing capabilities. The newer version of FakeSpy uses new URL addresses for malicious communication and multiple techniques to evade detection via the emulator.
  • The campaign has a connection with the Chinese threat actor dubbed "Roaming Mantis".

Roaming Mantis group's recent activities

Since 2017, the Roaming Mantis campaign attack methods have been improving and aiming for new targets in order to steal more funds.
  • In June, the RoamingMantis cybercrime group employed phishing attacks against Apple ID accounts and Android accounts and started targeting new regions via phishing website lures.
  • In February, the Roaming Mantis campaign delivered Fakecop (aka SpyAgent) and Wroba.j (aka) Trojans via SMS spam, containing links to a variety of fake websites. The group also spoofed customized brand icons.

Stay safe

Users should download authentic apps from the official website and app stores only. Use extreme caution with suspicious or unknown attachments or messages with links. Avoid the baits like coupon redemptions, offers, or deals.