Cyble Research Labs has discovered a malware-based campaign targeting Android users from Japan. It is identified that the campaign uses an information stealer masquerading as a security app to collect the victims’ personal information.
Our team initially noticed this campaign from a researcher’s Twitter post. Through our OSINT research, we were able to collect more details on this campaign. Based on our findings, the Threat Actor (TA) behind this campaign uses multiple malicious APK files to carry out these activities.
The TA has hosted this malware on various URLs with the help of a free DNS service, duckdns. The subset of URLs is shown in the below figure.
Our analysis has shown that the malicious app is an advanced variant of FakeCop spyware. We also observed that the app is masquerading as common security/anti-virus apps available in Japan. The FakeCop spyware variant collects information such as contacts, SMSs, and apps lists. The malware can also send SMS messages. Furthermore, the collected personal information is uploaded to Command & Control (C&C) server.
The TA utilized the following URL to transmit one of the APKs used in this campaign.
We have analyzed this APK below.
APK Metadata Information
- App Name: Anshin Security (あんしんセキュリティ)
- Package Name: ifzm.sqik.aaaqv
- SHA256 Hash: e70ecadb0e6f92d520e54f4e04cf43799ea4ff69c711b6da3b69838b8f6b7373
The app poses as a security app named Anshin Security, which is a privacy service app provided by NTT Docomo.
The figure below displays the APK file information.
Additionally, the app shares the icon of The Secure Internet Security app in the Play Store. This app provides security measures for users from Japan.
The new FakeCop spyware app requests 20 different permissions, as shown in Figure 3. The TA could abuse 12 of these permissions. In this scenario, the malware can:
- Collect SMSs, contacts, and accounts information
- Modify SMSs in the device database
- Collect device hardware information
- Send SMSs without the user’s knowledge
The list of permissions declared in the manifest file is shown below.
From the spyware’s manifest file, we have also identified the entry point classes such as:
- “arm.StubApp“: The class which executes initially when a user starts the app from the device’s home screen. a.k.a. application subclass.
- “ifzm.sqik.aaaqv.Bjtu“: The class that displays the first display page for the application is also called the launcher activity.
- “ifzm.sqik.aaaqv.Asdf“: The receiver class that is initiated upon device reboot.
The entry-point classes (including missing classes) are mentioned in the figure below.
Upon further investigation, we found that the malware author uses a custom packer to hide the spyware behavior. Classes such as the launcher activity class and the receiver class mentioned above are missing in the APK file. The classes in the package ifzm.sqik.aaaqv. are absent in the file, as we can observe in the figure below.
This FakeCop variant uses a custom packer that unpacks a DEX file upon execution. We identified that the TA has used a custom packing technique to encrypt and store the code inside a file in the assets folder based on further analysis.
We found that the unpacker is implemented on a shared object(.so) file and is executed from the application subclass. Refer Figure 6.
The custom packer uses Bitwise XOR encryption to decrypt the DEX file. The code used by the packer software is shown below.
SHA256 of the unpacked DEX file: b39d0db0bcc1d63c42e81e0de19cdb7fa9072fb320d94fcad0c987109f1651ec
Cyble Research Labs unpacked the DEX file using the unpacker code present in .so file. We also observed that the file contains malicious code to perform spyware behavior.
After creating the decrypted DEX file, the malware loads and deletes this DEX file to remove all traces of it from the infected device.
Upon inspecting the unpacked DEX file, we observed that it has the malicious code capable of performing spyware activities such as:
- Collecting personal information such as contacts, SMSs, applications list
- Collecting hardware information such as IMEI Number etc.
- Modifying/Deleting the device SMS database
The code to collect Contact data from the victim’s device is shown in the below figure.
The spyware also collects SMSs from the victim’s device. Refer Figure 9.
Through the course of our analysis, we also observed that, in addition to spyware behavior, the malware is capable of displaying notifications with content provided by TA.
The malware also can send SMSs without user interaction. The code used to send SMSs is shown in the below figure.
This FakeCop variant app also checks for security software applications such as McAfee’s antivirus apps in the device. Upon finding these apps, the malware creates a notification requesting the user to modify (disable/uninstall) these apps to ensure the malware’s persistence on the device.
The security apps checked by the malware are shown in the below figure.
The security software checked by the malware is listed below.
|com.wsandroid.suite||McAfee Security: VPN Antivirus Privacy Protection (Play Store link)|
|com.au.anshinnetsecurity||Secure internet security (Play store link)|
|com.mcafee.vsm_android_dcm||Docomo Anshin Scan|
The spyware performs these activities upon receiving the commands from C&C.
Commands from C&C
The TA uses a peculiar technique to access the C&C server. The spyware is instructed to access a proxy server to get the IP address and port of the C&C server. The C&C server details are extracted from the proxy server with the help of an HTML parser. The code used to access the proxy server and extract C&C IP is displayed below.
The TA uses this technique to use multiple C&C based on the requirements. Whenever TA needs to migrate the C&C, they must change the C&C details from the proxy server.
Proxy server URL: hxxp://210902[.]top/
The C&C details found in the proxy server are shown in the below figure.
C&C URL: hxxp://172.247.35[.]189:6666/
The commands used by the TA are given in the table below.
|Address book&||Collect Contacts|
|inbox&||Collect SMS messages|
|Block SMS&||Delete All SMSs in Inbox|
|send Message&||Send Text message|
|Application List&||Collect App list|
We also observed that the proxy server was used by multiple APK files, which are listed below.
During our OSINT research, we observed that the malware related to this campaign was delivered through the duckdns URLs, as shown in Figure 1.
We also found that duckdns was abused for a phishing campaign targeting users from the same country.
Another point to note, recent Android malware such as Flubot and Medusa were also using SMS as the delivery mechanism. This leads us to believe that this variant of FakeCop is also using the same mechanism to infect users.
TAs are frequently introducing increasingly sophisticated techniques to avoid detection. TAs also use new techniques to ensure the continued existence of malware in the infected device. This new spyware variant is the latest example, which uses packers to hide its behavior from static detection.
Using these advanced techniques, this spyware is nearly impossible to detect on an infected device. Thus, users should exercise caution while installing applications.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- If you find this malware in your device, uninstall using adb uninstall or perform a factory reset.
- Download and install software only from official app stores like Google Play Store & Apple App Store.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Be wary of opening any links present in SMSs delivered to your phone.
- Use the shared IOCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your devices, operating systems, and applications updated to the latest versions.
- Use strong passwords and enable multi-factor authentication.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1444||Masquerade as Legitimate Application|
|Initial Access||T1476||Deliver Malicious App via Other Means|
|Defense Evasion||T1508||Suppress Application Icon|
|Defense Evasion||T1418||Application Discovery|
|Defense Evasion||T1575||Native Code|
|Defense Evasion||T1406||Obfuscated Files or Information|
|Collection||T1412||Capture SMS Messages|
|Collection||T1432||Access Contacts List|
|Collection||T1533||Data from Local System|
|Impact||T1447||Delete Device Data|
Indicators of Compromise (IOCs)
|b39d0db0bcc1d63c42e81e0de19cdb7fa9072fb320d94fcad0c987109f1651ec||SHA256||Hash of the unpacked DEX file|
|hxxp://172.247.35[.]189:6666/||URL||C&C URL on which malware communicates|
|hxxp://210902[.]top/||URL||Proxy server URL|
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.