Last updated on March 9, 2021
Cybereason warns of a new variant of the Android malware FakeSpy , which was first described in 2017. In the current campaign, a significantly improved and more powerful version is to be used, which also has additional obfuscation techniques. Another new feature is that FakeSpy disguises itself as state postal and transport apps.
In addition, according to the analysis, the people behind the project are no longer limited to East Asian countries. The malware is currently also active in France, Switzerland, the USA, Great Britain and Germany.
The real job of FakeSpy is to steal information. An important characteristic of the malware is that it can steal and send SMS messages. She uses this ability for so-called smishing or SMS phishing, a tactic that is based on social engineering. Fake text messages are designed to trick victims into clicking a malicious link that will download a maliciousinstallation package (APK).
The fake SMS messages currently pretend to come from a post office, with a link to an app behind which FakeSpy is hidden. Among other things, the backers offer fake apps from the British Royal Mail, the Swiss Post, the United States Postal Service, the French La Poste and the Deutsche Post.
The dangerous apps, in turn, were created using the Android component WebView. Among other things, it loads the legitimate website of the respective postal service provider in order to make the malicious apps more trustworthy. This is also intended to remove an important hurdle for installing the actual malware, namely the authorization to install an app from an unknown source.
If a victim is fooled, the malware asks during installation, among other things, the permissions for reading, receiving, writing and sending SMS. It also needs access to internal and external storage. It is also important to have authorization to display system messages that overlay an open app. In addition, users should also confirm that the app can change the energy-saving settings so that it can remain active even when the screen is switched off. “These inquiries require that the end user accept the permission changes and indicate the importance of a healthy level of skepticism when approving app permissions,” said Cybereason.
Only then does the malware begin its actual activities. Among other things, it reads out the address book and telephone number of the victim. Details on the smartphone used, the Android version, the cell phone provider and installed apps are also requested.
To avoid detection, FakeSpy can determine whether the malware is running on a real Android device or in an emulator. If an emulator is recognized, FakeSpy is removed again.
Cybereason emphasizes that FakeSpy is continuously being developed. Notes in the code should also indicate an origin in China. Among other things, the domains of the command server infrastructure are registered with a Chinese ISP.
“The malware writers seem to go out of their way to improve this malware and to bundle it with numerous new upgrades that make it more sophisticated. These improvements make FakeSpy one of the most powerful information thieves out there. We expect this malware to evolve with additional new features; the only question is when the next wave will come, ”is the conclusion of the Cybereason researchers.