A new Android malware has been spotted in the wild that can also serve as a vector for a banking trojan. The malware, dubbed FakeSpy, comes with various data-stealing capabilities and has been primarily targeting Korean and Japanese users.
Although cyber criminals generally rely on third-party apps to deliver malware, some malware authors operating variants such as BankBot and MilkyDoor attempted to get their malicious apps published on the Google Play Store or Apple’s App Store. However, FakeSpy’s authors rely on the old school smishing technique - delivering their malware via SMS messages.
“Would-be victims will first receive a mobile text message masquerading as a legitimate message a Japanese logistics and transportation company urging recipients to click the link in the SMS,” Trend Micro researchers wrote in a blog. “The link will redirect them to the malicious webpage, and clicking any button will prompt users to download an Android application package (APK). The webpage also has a guide, written in Japanese, on how to download and install the app.”
What can FakeSpy do?
The FakeSpy malware can steal text messages, contacts, account information and call records. It is also capable of muting and resetting a device, harvesting the infected device’s information and updating its own configuration.
According to Trend Micro researchers, the FakeSpy campaign has been active since 2017 and has recently started targeting South Korean users. The data-stealing malware appears as an app for various local financial services to Korean victims.
For Japanese victims, the malware appears as an for transportation, courier, logistics, e-commerce, clothing retailer and a mobile telecommunications service.
Apart from stealing data, FakeSpy can also check an infected device for banking-related apps. If the malware finds any such app of interest, it replaces the banking app a fake/repackaged version that imitates the legitimate app’s user interface.
The malware also phishes for the victim’s accounts by warning them that their accounts will be locked unless they “key in their credentials due to upgrades made on the app to address information leaks”. FakeSpy also browses for any cryptocurrency trading apps, researchers noted.
Slipping under the radar
FakeSpy’s authors use various approaches to evade detection.
For instance, the malware abuses social media by writing the IP address on a Twitter profile whose handle is altered on a regular basis. When the malware is launched, it accesses the Twitter page and parses its contents to recover the C2’s IP address. FakeSpy’s authors also abuse forums and open-source dynamic tools in the same way.
“To further evade detection, the C&C server address configured into the apps are updated at least once per day,” Trend Micro researchers said. “It’s also worth noting that the cybercriminals behind FakeSpy are active, at least based on their activities on forums and the related URLs they register to host their malware.”
Although the malware has so far only been targeting users in East Asia, Trend Micro researchers believe that the malware campaign could soon expand to infect users in other parts of the world soon given how the malware authors are continually tweaking FakeSpy’s configuration.