Japanese security researcher Yusuke Osumi has discovered a new variant of the Android info-stealer called FakeCop that uses an information stealer masquerading as a security app to collect the victims’ personal information.
#Phishing #malware #android
— Osumi, Yusuke (@ozuma5119) October 19, 2021
Brand: au KDDI あんしんセキュリティ
VT: https://t.co/CFbRa6KkYXhttps://t.co/fWcZ1cKWJy
🦠 hxxp://zuwnkmkrjh[.]duckdns[.]org/AU.apk
⚡️ C2 hxxp://210902[.]top/
45.116.13[.]12 (AS4785 xTOM, JP)
→ websocket://172.247.35[.]189:6666/
(AS21859 ZenLayer) pic.twitter.com/nCsq31Dccw
After analyzing the malware, the researchers state that the new spyware variant has the following capabilities:
- Collect SMSs, contacts, accounts information, and apps list
- Modify or delete SMSs in the device database
- Collect device hardware information (IMEI)
- Send SMSs without the user’s knowledge
The spyware asks the user to grant numerous sensitive permissions to perform this functionality, as shown below.
When users are met with such requests by AV software, they are more likely to grant them because security software commonly needs higher privileges to scan and remove detected threats.
The malware authors are also using a custom packer to hide the actual behavior of their app while also thwarting static detection.
The malicious code is Bitwise XOR encrypted and stored inside a file in the assets folder, and it can only be unpacked if invoked by a specific app subclass.
Additionally, FakeCop actively scans the device app list, and if any antivirus apps are found, it pushes a notification to the user asking them to uninstall them.
The hardcoded AV solutions that malware will prompt users to remove include Anshin Security, McAfee Security, and the Docomo Anshin Scan.
As for how FakeCop reaches the victims, Cyble’s OSINT research revealed two channels of distribution, one via SMS with malicious links and one relying on phishing emails.
The ‘duckdns.org’ free dynamic DNS used as the delivery mechanism has been previously used for distributing Medusa and Flubot, so it’s possible that the current campaign ties to the same operators.
As a general rule, avoid clicking on URL links that arrive via unsolicited SMS and email, and refrain from installing APK files from outside the Google Play Store.
Additionally, periodically check and confirm that Google Play Protect is active on your device, and always scrutinize permission requests when installing a new app.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.