An upgraded version of FakeSpy, a three-year-old information-stealing malware, is masquerading as legitimate postal service apps, including the Royal Mail app, to leverage the trust of users and steal their messages, app data, contacts, and financial information.
The use of the FakeSpy Android malware to target users of legitimate postal services apps worldwide was observed by security firm Cybereason who found that the campaign is spread across countries like China, Taiwan, France, Switzerland, Germany, United Kingdom, United States, and others.
Such widespread use of the Android malware family has been observed for the first time after the malware was first observed in 2017 targeting South Korean and Japanese speakers. According to Cybereason, FakeSpy is a classic info stealer malware, exfiltrating SMS messages, financial data, account information, contact lists, application data, and other details from Android smartphones.
"FakeSpy masquerades as legitimate postal service apps and transportation services in order to gain the users' trust. Once installed, the application requests permissions so that it may control SMS messages and steal sensitive data on the device, as well as proliferate to other devices in the target device’s contact list," the Cybereason Nocturnus team said in a blog post.
Hackers using SMS phishing to install FakeSpy malware into users' devices
The Chinese-speaking hacker group behind the FakeSpy malware, commonly referred to as "Roaming Mantis", uses SMS Phishing to infiltrate the malware into targeted devices. In this particular campaign, the group is sending out SMSs to Android device users that seem to be from the local post office and contain links that users must click on to view details of undelivered posts.
Once users clicks on the link, they are redirected to a website that prompts them to download and install the FakeSpy APK, which is masquerading as a local postal service app. Once the application is launched, FakeSpy uses the Android WebView feature to redirect users to the original post office carrier webpage, thereby appearing legitimate to users.
Cybereason found that the malware is masquerading as a large number of legitimate postal service apps such as those of Royal Mail, Deutsche Post, La Poste, Japan Post, United States Postal Service, Swiss Post, Japan Post, Yamato Transport, and Chunghwa Post. This way, the malware is able to leverage the trust of millions of users across several continents who sue these postal services.
FakeSpy obtains a variety of permissions to exfiltrate user data
Once the malware gets installed in a device, it asks for a number of permissions to be able to read network information, receive, write, and send SMS, open network sockets, read from external storage, get information about tasks, use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming, and to read the user's contacts data.
When installed, the fake application also flashes a couple of pop-up messages on device screens, asking users to "Change SMS App" and to "Ignore Battery Optimisation". These permissions allow the application to send copies of all SMSs to the C2 server and to operate at full capacity while the phone's screen is turned off and the phone locked.
Aside from using the FakeSpy malware to target Android device users, the Chinese-speaking hacker group is also known for hijacking DNS settings on Japanese routers, creating disguised malicious Android apps that appear as popular apps, stealing Apple ID credentials by creating Apple phishing pages, as well as performing web crypto mining on browsers.
"The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well-equipped. These improvements render FakeSpy one of the most powerful information stealers on the market. We anticipate this malware to continue to evolve with additional new features; the only question now is when we will see the next wave," Cybereason added.