Malware App Fakes Postal Service to Steal User Personal Data and Manipulate SMS Messages

News and Analysis

A group of researchers at cybersecurity firm Cybereason has detected an upgraded version of FakeSpy, a malware targeting the Android mobile operating system that originally appeared in late 2017. The malware is designed to steal users’ personal information such as financial and application data, contact lists, as well as steal and manipulate SMS messages.

Back in 2017, the malware mainly targeted East Asian countries like South Korea and Japan, but now users around the world may fall victim to FakeSpy. Among most affected countries, Cybereason named the United States, the United Kingdom, Germany, France, China, and Taiwan, among others.

FakeSpy Masquerades as a Trusted Post Office App

FakeSpy is disguised as a trusted official post office and transportation services app, mimicking the carrier’s logo, UI appearance, and redirecting users to the carrier webpage. After installing the app, it requests permissions from the user to allow the app to read text messages, receive, write and send SMS messages, open network sockets, access information about networks, among other things.

The researchers suggested that FakeSpy can potentially infect contacts of the user:

“The malware uses the function sendAll to send messages that spread the malware to other devices. It sends a smishing message to the entire contact list of the infected device along with the malicious link to the FakeSpy installation page.”

Moreover, the analysis showed that FakeSpy uses various techniques to skirt its detection. “It shows that the malware can detect whether it’s running in an emulated environment or a real mobile device, and can change its code pattern accordingly,” the report read.

The Group Behind the Malware

Cybereason suspects that FakeSpy is developed and operated by a Chinese threat actor group called “Roaming Mantis.” The group allegedly stands behind attacks such as hijacking DNS settings on Japanese routers that redirect users to malicious IP addresses, launching malicious Android apps, stealing Apple ID credentials via creating Apple phishing pages, and performing web cryptocurrency mining on browsers.

Generally, the researchers connected the attacks to the Chinese group based on the Chinese server infrastructure, Chinese language traces in the code, and Chinese APK names.

Google-Related Fraudulent Activity Is on the Rise

As recently reported, a modified version of ComRAT malware now targets Gmail users to steal confidential documents. In addition to misappropriation of documents, the trojan collects information about the network, Microsoft Windows configurations, and the Archive Directory groups or users.

Also, threat actors are now targeting Google Analytics service to harvest data entered by users. As the victims are generally Europe and Americas-based online stores selling cosmetics, food products, digital equipment, and spare parts, the stolen information includes their shoppers’ credit card details.

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter


Related posts

Tags: , ,