The Android malware called Fakesky was first discovered in October 2017 wherein it primarily attacked people in South Korea and Japan. But now researchers at Cybereason Nocturnus have discovered that a more potent form of Fakesky is targeting users all over the world including people in countries such as China, Taiwan, France, Switzerland, Germany, United Kingdom and United States among others. And this time around, the malware is befooling users by masquerading as a postal service app.
As per the report, the malware uses a smishing or SMS-phishing attack to target users. It sends an SMS to the users that tells them to download an app that masquerades itself as a genuine postal service app. Once users open the infected app, it asks users for two permissions. The first permission allows it to intercept every message received on the users’ device and send it to its servers, while the second permission allows it to work at full capacity even when the screen has been turned off and the phone has been locked.
Once it gets these permissions, it steals confidential information such as users’ phone numbers, device models, OS versions, telecom provider, banking information, IMEI number and IMSI number. Furthermore, it replicates itself by sending a similar infected message to all the contacts in users’ phone book. Researchers suspect a Chinese-speaking group called Roaming Mantis, which primarily operates in Asia, is the cause of the latest malware attack. “Our analysis shows that the threat actor behind the FakeSpy malware is a Chinese-speaking group, commonly referred to as “Roaming Mantis”, a group that is known to have launched similar campaigns in the past,” researchers wrote in their analysis.