FakeSpy operators target Japanese users with new FunkyBot malware

• FunkyBot consists of two .dex files: one is a copy of the original application that the malware is impersonating and the other is malicious code.
• The interesting aspect of the malware is that it identifies the telecommunication provider by looking at the IMSI value of the device.

Security researchers have uncovered a new malware campaign targeting Japanese users. The campaign leverages new spyware named FunkyBot. It is executed by the same operators who are responsible for FakeSpy malware.

How does it propagate?

According to FortiGuard Labs, the malware disguises a legitimate application to spread into a victim’s device.

FunkyBot consists of two .dex files: one is a copy of the original application that the malware is impersonating and the other is malicious code.

As for the kill chain, a packer first determines the version of the Android phone in order to generate the proper payload. After that, the payload is installed by calling the method ‘runCode’ class through Java reflection. This, in turn, starts a class called KeepAliceMain which is used by the malware to gain persistence.

Researcher Dario Durando also noted that malware uses a unique way to communicate with the C2 server.

“Much like Anubis used to do with fake Telegram and Twitter accounts, this malware uses social media to obtain its C2: it downloads the webpage of a photo-less Instagram account. It then extracts the biography field of this account and decodes it using Base64,” explained Durando.

What happens next?

Once the connection to the C2 server is established, FunkyBot proceeds to collect the following the information about the device:

• IMEI number
• IMSI number
• Phone number
• List of contacts

After it sends all of the device’s contacts, FunkyBot waits for the C2 server to respond with a telephone number and a message body to construct an SMS.

“This strategy has been used by multiple campaigns, including FakeSpy and MoqHao, to enable the malware to spread in a worm-like fashion. It is logical to assume that this sample would do the same,” added Durando.

The interesting aspect of the malware is that it identifies the telecommunication provider by looking at the IMSI value of the device. The IMSI value is composed of two halves: the first identifies the provider and the second is unique to the specific device.

What are the additional capabilities?

FunkyBot harvests a victim’s list of contacts to ease its propagation process. In its last stage, the malware alters the device settings to make itself the default SMS handler application.

“[It] uses this to upload to the C2 all the received messages. This functionality can be very dangerous, considering that most banks currently use two-factor authentication through SMS,” Durando noted.