Android: malware steals information by pretending to deliver a package

Android: malware steals information by pretending to deliver a package Cybersecurity

A powerful form of Android malware capable of stealing banking data, personal information, private communications and more, is back with a new phishing campaign that spreads via SMS.

The origins of malware

The FakeSpy malware has been active since 2017. Originally, it mainly concerned Japan and South Korea. But today it targets Android users worldwide – with attacks specifically designed to trap its victims in Asia, Europe, and North America.

The latest FakeSpy campaign was detailed by Cybereason cybersecurity researchers, who claim the attacks are linked to “Roaming Mantis”, a group of Chinese-speaking cybercriminals who have waged similar campaigns.

They describe FakeSpy as being “active development” and “rapidly evolving”, a new version of malware being released every week with new features and escape techniques.

The purpose of malware is to collect information, including SMS, bank details, connection information for applications or online accounts, contact lists, etc.

Targets around the world

The latest campaign is widespread, targeting users in China, Taiwan, France, Switzerland, Germany, the United Kingdom, the United States, and other countries. The method is always the same: the user receives a phishing message claiming to be linked to a parcel delivery or some postal service.

The SMS contains a phishing link which directs users to a fake website directing them to download a fake application from the local postal service. For example, British users are invited to download a fake version of the Royal Mail application, specially designed for this purpose, while in France it is an imitation of the La Poste application.

Royal Mail, United States Postal Service, Deutsche Post in Germany, La Poste, Japan Post, Swiss Post and Chughwa Post in Taiwan are some of the brands used for the scam.

Applications designed to deceive vigilance

These fake applications are designed using WebView in order to resemble the real ones, to deceive the victim. Once the application has been downloaded – this requires the user to authorize an installation from an unknown source – the victim will be redirected to the legitimate website, in order to sleep his vigilance as to the content he has just downloaded.

The malware also requests a number of permissions, which it needs to operate. But since there are many legitimate apps that demand heavy use of the device anyway, the victim is unlikely to think twice.

Once installed, FakeSpy can monitor the device in order to steal various forms of information: name, phone number, contacts, bank information (wallet, currency, etc.) It can also consult text messages and use of applications .

“Business is working”

FakeSpy also exploits the infection to spread, by sending a phishing message to all the victims’ contacts, of course concealing that it is a targeted campaign, a cybercrime operation seeking to spread as much as possible and to collect as much banking information and other personal data as possible in order to collect as much money as possible.

“These attacks seem to correspond to what is called” Spray and Pray “(Editor’s note). They do not seem to target a particular individual, cyber attackers seem to try their luck by throwing a fairly large net, waiting for someone to take the bait, “said ZDNet Assaf Dahan, senior director and research manager on threats to Cybereason.

“We are constantly seeing new developments and new features added to the code, so I think business is working for them,” he adds.

How to protect yourself?

FakeSpy has been active for three years and continues to pose a threat to Android users as it evolves and changes.

In order to escape this powerful malware, extreme caution should be exercised when dealing with impromptu messages, especially those claiming to come from official organizations and requesting to click on a link or download something. In most cases, this is a phishing attempt.

“Users must be critical and be wary of text messages containing links. Before clicking on a link, you must always check the authenticity of the website, check if there are no mistakes in the page or even in the name of the site. And above all, avoid downloading applications from unofficial stores, “advises Assaf Dahan.

“Removing the bogus application through the file manager is a good way to mitigate the threat. It can also be useful to use a mobile security solution that will detect the threat and remedy it, ”he said.



Rate article