
FakeSpy Uses SMS Phishing Disguised as Postal Service Messages to Spread Malware
Malware is targeting Android users across the globe with a smishing campaign. The malware, called FakeSpy, sends fake SMS text messages that are supposedly delivery updates from the postal service to trick users into clicking on a malicious link. The malware steals information from infected phones including financial account information and contact lists according to cyber security researchers at Cybereason.
FakeSpy malware sends SMS phishing (called “smishing”) text messages to potential victims. The SMS messages are crafted to look like they were sent by a number of postal services and contain delivery update information. Fake smishing messages from The U.S. Postal Service, the U.K. Royal Mail, Germany’s Deutsche Post, Switzerland’s Swiss Post, France’s La Poste, Taiwan’s Chunghwa Post have all been used to trick victims. Private delivery companies such as Japan Post, Yamato Transport, and Deutsche Post DHL Group are also being impersonated in this smishing attack.
READ: How Do I Know If My Phone Is Hacked?
The information for the attack most likely was gleaned from social engineering.
“FakeSpy is under active development and is evolving rapidly; new versions are released every week with additional evasion techniques and capabilities, “ says Cybereason.
The malware sends a fake Postal Service package delivery text message to the victim’s phone . The text message contains a link which the user is encouraged to click on. If the user clicks on the link, it sends them to a malicious web page. The landing page prompts them to download an app that is supposedly the local postal service’s app. The app is actually an Android application package (APK) that is loads FakeSpy malware.
“The fake applications are built using WebView, a popular extension of Android’s View class that lets the developer show a webpage. FakeSpy uses this view to redirect users to the original post office carrier webpage on launch of the application, continuing the deception. This allows the application to appear legitimate, especially given these applications icons and user interface,” says Cybereason
FakeSpy Malware Texts Your Contacts
FakeSpy is an info stealer malware. When a device is infected, FakeSpy can steal financial data, read account information, contact lists, and application data. The malware will intercept every text message from an infected phone and send a copy to the hacker’s server. It can also send text messages to contacts, so they get infected too.
FakeSpy malware requests the following permissions:
- READ_PHONE_STATE
- READ_SMS
- RECEIVE_SMS
- WRITE_SMS
- SEND_SMS
- INTERNET
- WRITE_EXTERNAL_STORAGE
- READ_EXTERNAL_STORAGE
- RECEIVE_BOOT_COMPLETED
- GET_TASKS
- SYSTEM_ALERT_WINDOW
- WAKE_LOCK
- ACCESS_NETWORK_STATE
- REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
- READ_CONTACTS
FakeSpy Malware
FakeSpy was first spotted in 2017. It is believed that the malware is connected to a Chinese hacking group called Roaming Mantis. These hackers, are not, however regarded as an Advanced Persistent Threat Group. The threat actors initially targeted Japanese and Korean speakers. It has now evolved and targets anyone especially those who speak English, French, German, and Chinese.
READ: 13 Signs Your Phone Is Hacked
How do I know If my phone is infected?
Like many malwares, FakeSpy uses up a battery life fast. Read our guide on how to tell if your phone is infected with malware or a virus. FakeSpy overrides battery optimization settings on infected devices. So, if you notice that your phone is using up battery life faster, runs slowly, or your phone feels hot to the touch because it is using background data and running all the time – it may be infected. Read our guide on why your phone runs so slowly and how to fix it. Also, read, How to Remove RAT Malware From an Android Phone