Initially discovered by TrendMicro's researchers in June, the FakeSpy Android data stealer malware that targets Japanese and Korean users has been detected by Fortinet doing the rounds as part of a new malware campaign.
The FakeSpy malware sample Fortinet identified seems to have new capabilities and it can now spread itself to other Android devices by sending maliciously crafted text messages to lists of phone numbers it receives from its command-and-control (C&C) server.
This FakeSpy variant propagation chain starts with a fake site designed to look like the website of a Japanese express delivery service company which will display a pop-up message asking you to authenticate using a phone number when clicking anywhere on the site.
After some extra redirects and jumps through loops, the user will be sent an APK file containing the dropper which installs the FakeSpy malware payload.
Once installed on the Android device, FakeSpy asks to become the default SMS app, subsequently logging all received text messages and sending them to the C&C server.
Besides being capable of stealing data from Android devices, this FakeSpy variant can also propagate itself to other devices via text messages
Furthermore, this FakeSpy variant will also create and send messages to other devices, while also collecting IMEI and phone number info and crash reports and sending them all to its command-and-control server.
FakeSpy can also disseminate itself to other devices, with every infected target requesting a telephone number list from the C&C server and sending text messages containing links to malicious domains controlled by the attackers.
According to Fortinet's analysis, the threat actors behind this FakeSpy malware campaign have registered hundreds of domains which seem to impersonate the domain of the same Japanese express post service.
Because of this and the amount of commented code found by Fortinet on the fake websites used for the initial stage of the infection, we can say that the bad actors are still working on polishing both the malware and the malware campaign peddling the FakeSpy data stealer on the Android platform.