FakeSpy returns. New wave is aimed at hitting Japan

Information-stealing FakeSpy malware returns in Japan

FakeSpy malware steals information from Android users in Japan and Korea.

After being detected by TrendMicro this summer, FakeSpy malware returns to Japanese and Korean users. This time, the virus was spotted attacking Android users with the help of text messages as an entry point to deliver the main malicious script designed to collect text messages, various account information, contacts and even calls records stored on the device.

However, the most serious discovery made by experts is that the FakeSpy can also open a way for different malware, including banking trojans.

While, at the time of writing, this malware focuses on Korean and Japanese-speaking users, experts believe that it is only a matter of time when the malware starts spreading its malicious content all around the world.

The attack is initiated via malicious text messages

The attack starts when the victim gets a message from the fake logistic or delivery company filled with the hyperlink that redirects the victim to the malicious website. The page contains a script which pop-ups after clicking any button on the site and asks to authenticate with the help of the phone number. Additionally, the script downloads the malicious Android application package^[1].

FakeSpy also checks the device for banking applications on the device. If there is any, malware can replace repacked versions that imitate the interface and initiates the process of entering needed credentials^[2]. When the user enters the requested information, malware steals it.

While at the time of writing FakeSpy is focusing on Korean and Japanese-speaking users, experts believe that it is only a matter of time when the malware starts spreading its malicious content all around the world.

The malicious campaign has been active since October 2017

As FortiGuard Labs reported in its threat research, the malicious traffic has just been noticed.^[3] The C2 server, that was disguised as a domain of Japan's express post delivery service, was found to be located in China. The malware was soon identified as FakeSpy containing new capabilities.

Further analysis indicated that the same campaign is targeting South Korean users. While spreading in this part of Asia, the app has been masquerading as local financial services or companies. However, when the target is set to Japan, this information-stealing malware disguises its malicious activity behind transportation, logistics companies or e-commerce, mobile telecommunications service apps or even clothing retailer.

The further inspection of malware functionality

The SMiShing campaign^[4] is based on social engineering^[5] and can affect systems, devices and even networks of corporate users. It has been used to get access to victims' personal or company-related data, such as phone numbers, banking details, etc. commands as adding contacts, setting the device to mute, stealing stored information, updating the configurations to its own.

According to various analysis, FakeSpy is developed by hackers who registered hundreds of different domains that impersonate the same Japanese post service. There are 347 additional domains with the same name of postal service – “sagawa-ba.com”.

Unfortunately, this malware campaign still seems to be in development and it is possible that FakeSpy will remain active and will also add more malicious capabilities.