FakeSpy using SMS as an entry point of the attack to drop the Trojan and also serve as a vector for a banking trojan.
It Mainly infecting users who belong to Japanese and Korean.. the attackers always tuning it to modifying the configuration to spreading across many countries.
Initially targeted victims will receive a mobile text message masquerading as a legitimate message from a Japanese logistics and transportation company.
Targeted victims urged to click the link in the SMS, and once they clicked on it then it will redirect into a malicious webpage.
Once victims clicked any button then it prompts to download the malicious Android application package (APK).
Based on the indication, this campaign also targets South Korean users and it has been active since October 2017.
FakeSpy Infection Analysis
FakeSpy spreading as an app that posed as Korean based financial services companies and when it turned to attack victims based on Japan, it poses as apps for transportation, logistics, courier, and e-commerce companies, a mobile telecommunications service, and a clothing retailer.
FakeSpy command & control server communication medium is completely encrypted to evade the detection.
An attacker using various approaches to hide and update the C&C servers. once FakeSpy launch into the victim’s device then it will access the Twitter page and parse its contents to retrieve the C&C IP address.
Also C&C server addresses configured apps are at least once per day to make the detection more complex.
Once FakeSpy launched into the targeted device, it starts monitoring the text messages of the infected device and it will steal and upload it into the C&C servers.
Along with this, FakeSpy checking the infected device whether it installed any bank related apps and once find it then It phishes for the users’ accounts by ironically notifying users that they need to key in their credentials due to upgrades made on the app to address information leaks.