Cyber criminals spreading new Android Malware called FakeSpy to compromise the infected Android users to stealing text messages, account information, contacts, and call records.

FakeSpy using SMS as an entry point of the attack to drop the Trojan and also serve as a vector for a banking trojan.

It Mainly infecting users who belong to Japanese and Korean.. the attackers always tuning it to modifying the configuration to spreading across many countries.

Initially targeted victims will receive a mobile text message masquerading as a legitimate message from a Japanese logistics and transportation company.


Targeted victims urged to click the link in the SMS, and once they clicked on it then it will redirect into a malicious webpage.

Once victims clicked any button then it prompts to download the malicious Android application package (APK).

Based on the indication, this campaign also targets South Korean users and it has been active since October 2017.

FakeSpy Infection Analysis

FakeSpy spreading as an app that posed as Korean based financial services companies and when it turned to attack victims based on Japan, it poses as apps for transportation, logistics, courier, and e-commerce companies, a mobile telecommunications service, and a clothing retailer.

FakeSpy command & control server communication medium is completely encrypted to evade the detection.

An attacker using various approaches to hide and update the C&C servers. once FakeSpy launch into the victim’s device then it will access the Twitter page and parse its contents to retrieve the C&C IP address.

Also C&C server addresses configured apps are at least once per day to make the detection more complex.

Once FakeSpy launched into the targeted device, it starts monitoring the text messages of the infected device and it will steal and upload it into the C&C servers.

According to TrendMicro,  To send commands via JavaScript, FakeSpy also abuses JavaScript bridge (JavaScriptInterface) to invoke the app’s internal functions by downloading then running JavaScript from a remote website. FakeSpy’s commands include adding contacts to the device, setting it to mute, resetting the device, stealing stored SMS messages and device information, and updating its own configurations.

Along with this, FakeSpy checking the infected device whether it installed any bank related apps and once find it then It phishes for the users’ accounts by ironically notifying users that they need to key in their credentials due to upgrades made on the app to address information leaks.

Also Read

Android Gamers Beware of Fake Fortnite Game that Contains Spyware and Cryptocurrency Miner

MysteryBot – Powerful Android Banking Trojan Launch Keylogger, Overlay & Ransomware in Single Attack

Android Cryptocurrency Mining Malware Infecting Amazon Fire TV & Other Amazon Devices

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here