Mobile
FakeSpy Targets Japanese and Korean-Speaking Users
FakeSpy can steal text messages, account information, contacts, and call records stored in the infected device. While the malware is currently limited to infecting Japanese and Korean-speaking users, we won't be surprised if it expands its reach.
Spoofing legitimate mobile applications is a common cybercriminal modus that banks on their popularity and relies on their users’ trust to steal information or deliver payloads. Cybercriminals typically use third-party app marketplaces to distribute their malicious apps, but in operations such as the ones that distributed CPUMINER, BankBot, and MilkyDoor, they would try to get their apps published on Google Play or App Store. We’ve also seen others take a more subtle approach that involves SmiShing to direct potential victims to malicious pages. Case in point: a campaign we recently observed that uses SMS as an entry point to deliver an information stealer we called FakeSpy (Trend Micro detects this threat ANDROIDOS_FAKESPY.HRX).
FakeSpy is capable of stealing text messages, as well as account information, contacts, and call records stored in the infected device. FakeSpy can also serve as a vector for a banking trojan (ANDROIDOS_LOADGFISH.HRX). While the malware is currently limited to infecting Japanese and Korean-speaking users, we won't be surprised if it expands its reach given the way FakeSpy’s authors actively fine-tune the malware’s configurations.
Attack Chain
Would-be victims will first receive a mobile text message masquerading as a legitimate message from a Japanese logistics and transportation company urging recipients to click the link in the SMS, as shown in Figure 1. The link will redirect them to the malicious webpage, and clicking any button will prompt users to download an Android application package (APK). The webpage also has a guide, written in Japanese, on how to download and install the app.
Figure 1: Sample SMSs containing links to the malware
Further analysis indicates that this campaign also targets South Korean users, and has been active since October 2017. To Korean users, the information-stealing malware appears as an app for several local consumer financial services companies. When targeting Japanese users, it poses as apps for transportation, logistics, courier, and e-commerce companies, a mobile telecommunications service, and a clothing retailer.
Figure 2: The malicious webpage with instructions on downloading and installing the application
Figure 3: Screenshots of the malicious apps in Korean (left) and Japanese (centre, right)
Technical Analysis
FakeSpy’s configurations, such as the command-and-control (C&C) server, are encrypted to evade detection. Once launched, FakeSpy will start monitoring for text messages that the affected device receives. These SMS messages are stolen and uploaded to the C&C server. To send commands via JavaScript, FakeSpy also abuses JavaScript bridge (JavaScriptInterface) to invoke the app’s internal functions by downloading then running JavaScript from a remote website. FakeSpy’s commands include adding contacts to the device, setting it to mute, resetting the device, stealing stored SMS messages and device information, and updating its own configurations.
Figure 4: FakeSpy’s encrypted configurations
Figure 5: How FakeSpy uploads stolen text messages to the C&C server
Figure 6: FakeSpy using JavaScriptInterface to send commands
Figure 7: Traffic from which attackers send the command to update FakeSpy’s configurations
FakeSpy as a vector for a banking trojan
Apart from information theft, FakeSpy can also check for banking-related applications installed in the device. If they match FakeSpy’s apps of interest, they are replaced with counterfeit/repackaged versions that imitate the user interfaces (UI) of their legitimate counterparts. It phishes for the users’ accounts by ironically notifying users that they need to key in their credentials due to upgrades made on the app to address information leaks. It also warns users that their account will be locked. The stolen information is sent to the C&C server once the users click on the login button. Besides online banking apps, it also checks for apps used for digital currencies trading and e-commerce.
Figure 8: Code snapshot showing FakeSpy checking for legitimate banking-related apps and replacing them with fake versions
Figure 9: UI of the malicious app that phishes the user’s banking credentials
Figure 10: Code snippets showing how the malicious app steals banking credentials
Evading Detection
FakeSpy’s author uses different approaches to hide and update the C&C servers. It abuses social media by writing the IP address on a Twitter profile whose handles are regularly modified. The IP address starts with ^^ and ends with $$. When FakeSpy launches, it will access the Twitter page and parse its contents to retrieve the C&C IP address. FakeSpy’s author also abuses forums and open-source dynamic domain tools in a similar manner. To further evade detection, the C&C server address configured into the apps are updated at least once per day. It’s also worth noting that the cybercriminals behind FakeSpy are active, at least based on their activities on forums and the related URLs they register to host their malware.
Figure 11. The Twitter pages that FakeSpy accesses to get the C&C IP address
Figure 12: FakeSpy using a forum (top) and dynamic domain tool (bottom) to hide the C&C server
Best Practices
SMiShing is not a novel attack vector, but with social engineering, it can lure or compel victims into handing out personal or corporate data, or direct them to malware-hosting websites. Users should practice good security hygiene: think before clicking, download only from official app stores, and regularly update credentials and the device’s OSs and apps. Check for telltale signs of phishing, such as grammar errors or certain characters used to spoof a legitimate URL, and more importantly, beware of unsolicited messages that seem to give a sense of unwanted urgency.
We’ve coordinated with the affected organisations about this threat. A list of indicators of compromise (IoCs) related to FakeSpy is in this appendix.
Trend Micro Solutions
Trend Micro™ Mobile Security for Android™ (also available on Google Play) blocks malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.
For organisations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorised access to apps, as well as detecting and blocking malware and fraudulent websites.
Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.