An updated and upgraded version of the FakeSpy Android malware family – which dates back to 2017 – is actively targeting users of various postal and delivery service apps around the world, including Royal Mail, according to Ofir Almkias of Cybereason’s Nocturnus threat research team.
The new version of FakeSpy is significantly more powerful when compared to previous versions, and continues to evolve rapidly, with new iterations being released on a weekly basis as its developers code in new evasion and obfuscation techniques, said Almkias.
Having initially targeted Android users in Japan and South Korea, the new versions are exploiting the brands of postal services companies in many other countries, including France’s La Poste, Germany’s Deutsche Post, and the US Postal Service, as well as Royal Mail in the UK.
“Code improvements, new capabilities, anti-emulation techniques, and new global target audience all suggest that this malware is well maintained by its authors,” Almkias wrote in a disclosure blog.
“Cybereason suspects that Chinese authors created the malware due to many artefacts found during the analysis. The malware packages’ names use English spellings of Chinese names with reference to Chinese songs, Chinese food [and] Chinese provinces.
“In addition, the domains used for communicating with the command-and-control (C2) server are registered to a Chinese name associated with a Chinese internet service provider,” he wrote.
FakeSpy relies on SMS phishing, or smishing to worm its way inside its victims’ devices. In this particular campaign the attackers send fake text messages – generally a notification of a held package or missed delivery – to lure targets into clicking on a malicious link, which prompts them to download an Android application package that purports to be a download of the sender’s app, but in reality contain FakeSpy.
Once installed and opened, FakeSpy victims will see two pop-up messages, one prompting them to give it permission to intercept and read every SMS received on the device, and one to ignore battery optimisation features, meaning it can operate normally while the screen is off and the device locked.
It then exfiltrates data from the device, including details of SMS messages, phone numbers and contact books, device information, data related to any banking or cryptocurrency apps it finds, and any information in the national public key infrastructure (NPKI) folder that may contain authentication certificates related to mobile banking.
“The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well equipped,” wrote Almkias.
“These improvements render FakeSpy one of the most powerful information stealers in the market. We anticipate this malware to continue to evolve with additional new features; the only question now is when we will see the next wave.”