Researchers at Cybereason are tracking a sophisticated malware campaign targeting Android devices around the world. The campaign involves a new version of the FakeSpy information-stealing malware, which is tied to the China-associated threat actor “Roaming Mantis.” The attackers are using smishing to trick victims into installing spoofed apps.
“The malware uses smishing, or SMS phishing, to infiltrate target devices, which is a technique that relies on social engineering,” the researchers explain. “The attackers send fake text messages to lure the victims to click on a malicious link. The link directs them to a malicious web page, which prompts them to download an Android application package (APK)....New versions of FakeSpy masquerade as government post office apps and transportation services apps. Our analysis indicates that the threat actors are no longer limiting their campaigns to East Asian countries, but are targeting additional countries around the world.”
The malicious apps are impersonating the US Postal Service, Britain’s Royal Mail, the Deutsche Post in Germany, France’s La Poste, the Japan Post, the Swiss Post, and Taiwan’s Chunghwa Post. This marks an expansion in targeting for the malware, as previous FakeSpy campaigns had only targeted Japanese and Korean speakers.
Cybereason stresses that the malware can only operate if the victims themselves grant permissions to the malicious apps, which the researchers say “points to the importance of healthy skepticism when giving applications permissions.”
The researchers conclude that FakeSpy’s developers are still actively working on refining the tool, so the malware will likely surface again in the future.
“The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well-equipped,” they write. “These improvements render FakeSpy one of the most powerful information stealers on the market. We anticipate this malware to continue to evolve with additional new features; the only question now is when we will see the next wave.”
New-school security awareness training can teach your employees how to avoid falling for smishing and other social engineering attacks.
Cybereason has the story: https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world