A new version of Android malware, which exfiltrates and sends SMS messages, has been detected stealing financial and application data and reading account information and contact lists.
According to research by Cybereason, the malware, which it calls FakeSpy, is under constant development and has been active for over three years. Research found the attackers send fake text messages to lure victims into clicking on a malicious link, which directs them to a malicious web page and prompts them to download an Android application package (APK).
FakeSpy masquerades as a legitimate postal service application, and once installed, requests permissions so that it may control SMS messages and steal sensitive data on the device, as well as proliferate to other devices in the target device’s contact list.
The researchers determined that the developers are adding new features to the malware on a regular basis. “The newer version of FakeSpy uses new URL addresses for malicious communication with FakeSpy,” the research explained. “The function mainly uses a DES encryption algorithm to encode these addresses.”
Calling it “one of the most powerful information stealers on the market,” the Cybereason Nocturnus research team said the malware authors seemed to be putting a lot of effort into improving the malware, bundling it with numerous new upgrades that make it more sophisticated, evasive and well-equipped.
In terms of attribution, Cybereason's investigation suggests the threat actor behind the FakeSpy campaign is a Chinese-speaking group dubbed Roaming Mantis, a group that has led similar campaigns. It began by mainly targeting users in South Korea and Japan, and that has now extended more globalyl.
Jake Moore, cybersecurity specialist at ESET, said the fake text lure often works “as the victims expect an unknown number and – even if they haven’t ordered something – they assume the message is genuine, clicking through to any given links.”
Niamh Muldoon, senior director of trust and security at OneLogin, added: “The challenge for the individuals and organizations building delivery apps such as the ones targeted by the latest FakeSpy variation is building a process that enforces MFA without introducing too much end-user friction; balancing the risk and user-acceptance is key.”