loader gif

XLoader and FakeSpy Android malware linked to Chinese hacker group Yanbian Gang

XLoader and FakeSpy Android malware linked to Chinese hacker group Yanbian Gang
  • XLoader and FakeSpy are prolific Android malware families, which have infected over 380,000 victims across the globe.
  • Yanbian Gang is a Chinese hacker group that is known to have conducted heists against South Korean banks.

The prolific Android malware families XLoader and FakeSpy, both of which saw tremendous propagation in 2018, have been found to have links with a Chinese hacker group called Yanbian Gang.

While XLoader is capable of stealing financial data, personally identifiable information (PII), installing additional malicious code, FakeSpy primarily steals personal information. Both XLoader and FakeSpy have collectively infected 384,748 victims across the globe, with the majority of victims located in Japan and South Korea.

“The first clue that led to the discovery of the connection between XLoader and FakeSpy is when the former was observed disguising as a legitimate app of a major Japanese home delivery service company in June,” Trend Micro researchers, who discovered the link between the malware families and the Chinese hacker group, wrote in a blog. “Interestingly, almost all FakeSpy variants posed as the abovementioned Japanese apps to steal sensitive information from users.”

The researchers discovered 126 domains shared by FakeSpy and XLoader to distribute malware. The two also shared several similarities when it came to their C2 infrastructure. The malicious domains shared by the two malware families were found to be located in China.

“The registrants’ phone numbers also appear to originate from the Jilin Province, which was known as the Yanbian Gang members’ location,” Trend Micro researchers added. “Considering all information gathered from our research, we can speculate that the Yanbian Gang has possible connections to FakeSpy and XLoader. However, it could just also mean that two different sets of threat actors or groups are using the same service or deployment infrastructure.”

loader gif