Rewterz Threat Alert – Android Malware FakeSpy Being Distributed by SMS Messages

Severity

Medium

Analysis Summary

FakeSpy is Android information stealing malware that is known to have been in the wild since at least late 2017 and was initially used to target East Asian countries.Researchers have been investigating a campaign that has been sending SMS messages that contain a download link to an app. A victim would need to allow downloading of apps from third-party stores for the app to be installed. The app masquerades as a legitimate app belonging to postal and transportation services. Once installed the app will began providing information from the victim device to the its C&C servers. It will also send an SMS message containing a link to download the app, to all contacts in the device’s contact list. Cybereason notes that FakeSpy utilizes anti-emulation techniques and will behave differently if run in an emulated environment and that FakeSpy is being actively and frequently updated. The operator behind the campaigns is likely to be the Chinese threat actor group.

Impact

• Information theft
• Exposure of sensitive data

Indicators of Compromise

SHA1

• ad1ad43fdb2f6759b1a32b47dea41cd98afd74f6
• 00e26db52f692c5bea849f92a137991da484f907
• 7456e4ae32d574273656ce2350b28a745a33f806
• 6165039d703b74a99c0640950305e62cc88412d8
• f4524e97b979a59a56c4414f1835e236ce460a93
• 558575c4357295acf08d49df3fb85da42829e2ed
• 81ffd6e272d9b141530f8d3a52bbd2942c77fc0d

Remediation

• Block all threat indicators at your respective controls.
• Always download applications which are recommended and legitimate.