Cyble-Research-New-Fakecop-Variant-Android-Malware-Japan-users

New Variant of FakeCop Targeting Users from Japan 

Share on linkedin
Share on twitter
Share on whatsapp
Share on facebook
Share on telegram
Share on email

Cyble Research Labs has discovered a malware-based campaign targeting Android users from Japan. It is identified that the campaign uses an information stealer masquerading as a security app to collect the victims’ personal information.  

Our team initially noticed this campaign from a researcher’s Twitter post. Through our OSINT research, we were able to collect more details on this campaign. Based on our findings, the Threat Actor (TA) behind this campaign uses multiple malicious APK files to carry out these activities.  

The TA has hosted this malware on various URLs with the help of a free DNS service, duckdns. The subset of URLs is shown in the below figure.  

Figure 1: TA using duckdns for delivering spyware (Ref: VirusTotal) 

Our analysis has shown that the malicious app is an advanced variant of FakeCop spyware. We also observed that the app is masquerading as common security/anti-virus apps available in Japan. The FakeCop spyware variant collects information such as contacts, SMSs, and apps lists. The malware can also send SMS messages. Furthermore, the collected personal information is uploaded to Command & Control (C&C) server.  

Technical Analysis 

The TA utilized the following URL to transmit one of the APKs used in this campaign. 

URL: hxxp://zuwnkmkrjh.duckdns[.]org/AU.apk 

We have analyzed this APK below. 

APK Metadata Information 

  • App Name: Anshin Security (あんしんセキュリティ) 
  • Package Name: ifzm.sqik.aaaqv 
  • SHA256 Hash: e70ecadb0e6f92d520e54f4e04cf43799ea4ff69c711b6da3b69838b8f6b7373 

The app poses as a security app named Anshin Security, which is a privacy service app provided by NTT Docomo. 

The figure below displays the APK file information. 

Figure 2: APK File info 

Additionally, the app shares the icon of The Secure Internet Security app in the Play Store. This app provides security measures for users from Japan.  

Manifest Description 

The new FakeCop spyware app requests 20 different permissions, as shown in Figure 3. The TA could abuse 12 of these permissions. In this scenario, the malware can: 

  • Collect SMSs, contacts, and accounts information
  • Modify SMSs in the device database 
  • Collect device hardware information 
  • Send SMSs without the user’s knowledge 

The list of permissions declared in the manifest file is shown below. 

Figure 3: Permission List in APK’s manifest 

From the spyware’s manifest file, we have also identified the entry point classes such as: 

  1. arm.StubApp“: The class which executes initially when a user starts the app from the device’s home screen. a.k.a. application subclass.  
  1. ifzm.sqik.aaaqv.Bjtu“: The class that displays the first display page for the application is also called the launcher activity. 
  1. ifzm.sqik.aaaqv.Asdf“: The receiver class that is initiated upon device reboot.  

The entry-point classes (including missing classes) are mentioned in the figure below. 

Figure 4: Entry point classes (missing classes are highlighted) declared in the manifest 

Upon further investigation, we found that the malware author uses a custom packer to hide the spyware behavior. Classes such as the launcher activity class and the receiver class mentioned above are missing in the APK file. The classes in the package ifzm.sqik.aaaqv. are absent in the file, as we can observe in the figure below. 

Figure 5: Classes missing in package: aaaqv 

This FakeCop variant uses a custom packer that unpacks a DEX file upon execution. We identified that the TA has used a custom packing technique to encrypt and store the code inside a file in the assets folder based on further analysis. 

We found that the unpacker is implemented on a shared object(.so) file and is executed from the application subclass. Refer Figure 6. 

Figure 6: Unpacking code invoked from Application subclass 

The custom packer uses Bitwise XOR encryption to decrypt the DEX file. The code used by the packer software is shown below. 

Figure 7: Unpack code present in .so file 

SHA256 of the unpacked DEX file: b39d0db0bcc1d63c42e81e0de19cdb7fa9072fb320d94fcad0c987109f1651ec 

Cyble Research Labs unpacked the DEX file using the unpacker code present in .so file. We also observed that the file contains malicious code to perform spyware behavior. 

After creating the decrypted DEX file, the malware loads and deletes this DEX file to remove all traces of it from the infected device.  

Spyware Behavior 

Upon inspecting the unpacked DEX file, we observed that it has the malicious code capable of performing spyware activities such as: 

  • Collecting personal information such as contacts, SMSs, applications list 
  • Collecting hardware information such as IMEI Number etc. 
  • Modifying/Deleting the device SMS database 

The code to collect Contact data from the victim’s device is shown in the below figure. 

Figure 8: Code to collect contacts 

The spyware also collects SMSs from the victim’s device. Refer Figure 9. 

Figure 9: Code to collect SMSs 

Through the course of our analysis, we also observed that, in addition to spyware behavior, the malware is capable of displaying notifications with content provided by TA.  

The malware also can send SMSs without user interaction. The code used to send SMSs is shown in the below figure. 

Figure 10: Code to send SMS to a number provided by TA 

This FakeCop variant app also checks for security software applications such as McAfee’s antivirus apps in the device. Upon finding these apps, the malware creates a notification requesting the user to modify (disable/uninstall) these apps to ensure the malware’s persistence on the device. 

The security apps checked by the malware are shown in the below figure.  

Figure 11: Code used by the FakeCop to check for security software 

The security software checked by the malware is listed below. 

Package Name Details 
com.wsandroid.suite McAfee Security: VPN Antivirus Privacy Protection (Play Store link
com.au.anshinnetsecurity Secure internet security (Play store link
com.nttdocomo.android.anshinsecurity Anshin Security 
com.mcafee.vsm_android_dcm Docomo Anshin Scan 
Table 1: List of security/anti-virus software checked by the FakeCop spyware   

The spyware performs these activities upon receiving the commands from C&C.  

Commands from C&C 

The TA uses a peculiar technique to access the C&C server. The spyware is instructed to access a proxy server to get the IP address and port of the C&C server. The C&C server details are extracted from the proxy server with the help of an HTML parser. The code used to access the proxy server and extract C&C IP is displayed below. 

Figure 12: Code to access the proxy server URL 

The TA uses this technique to use multiple C&C based on the requirements. Whenever TA needs to migrate the C&C, they must change the C&C details from the proxy server.  

Proxy server URL: hxxp://210902[.]top/ 

The C&C details found in the proxy server are shown in the below figure. 

C&C URL: hxxp://172.247.35[.]189:6666/ 

Figure 13: C&C URL found in the proxy server 

The commands used by the TA are given in the table below. 

Command Description 
Address book& Collect Contacts 
inbox& Collect SMS messages 
Block SMS& Delete All SMSs in Inbox 
send Message& Send Text message 
Application List& Collect App list 
Table 2: Subset of commands used by the TA  

We also observed that the proxy server was used by multiple APK files, which are listed below. 

Figure 14: Subset of malware samples using the same proxy server (Ref: VirusTotal) 

Delivery Mechanism 

During our OSINT research, we observed that the malware related to this campaign was delivered through the duckdns URLs, as shown in Figure 1. 
We also found that duckdns was abused for a phishing campaign targeting users from the same country.  

Another point to note, recent Android malware such as Flubot and Medusa were also using SMS as the delivery mechanism. This leads us to believe that this variant of FakeCop is also using the same mechanism to infect users. 

Conclusion 

TAs are frequently introducing increasingly sophisticated techniques to avoid detection. TAs also use new techniques to ensure the continued existence of malware in the infected device. This new spyware variant is the latest example, which uses packers to hide its behavior from static detection.   

Using these advanced techniques, this spyware is nearly impossible to detect on an infected device. Thus, users should exercise caution while installing applications.  

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:     

  1. If you find this malware in your device, uninstall using adb uninstall or perform a factory reset. 
  1. Download and install software only from official app stores like Google Play Store & Apple App Store. 
  1. Ensure that Google Play Protect is enabled on Android devices. 
  1. Be careful while enabling any permissions. 
  1. Be wary of opening any links present in SMSs delivered to your phone.  
  1. Use the shared IOCs to monitor and block the malware infection.  
  1. Keep your anti-virus software updated to detect and remove malicious software.  
  1. Keep your devices, operating systems, and applications updated to the latest versions.  
  1. Use strong passwords and enable multi-factor authentication. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Initial Access T1444 Masquerade as Legitimate Application 
Initial Access T1476 Deliver Malicious App via Other Means 
Execution T1575 Native Code 
Persistence T1402  Broadcast Receivers 
Defense Evasion T1508 Suppress Application Icon 
Defense Evasion T1418 Application Discovery 
Defense Evasion T1575 Native Code 
Defense Evasion T1406 Obfuscated Files or Information 
Collection T1412 Capture SMS Messages 
Collection T1432 Access Contacts List 
Collection T1533 Data from Local System 
Impact T1447 Delete Device Data 

Indicators of Compromise (IOCs)   

Indicators Indicator type Description 
e70ecadb0e6f92d520e54f4e04cf43799ea4ff69c711b6da3b69838b8f6b7373 SHA256 Malicious APK 
b39d0db0bcc1d63c42e81e0de19cdb7fa9072fb320d94fcad0c987109f1651ec SHA256 Hash of the unpacked DEX file 
c63744548231f30761b727a3a7c98731ef36a0b5e3cd5c683c33b3f9ace28f89 SHA256 Malicious APK 
eb3d2be73958413bb5e977190d68cd42913ead119738f8bf92bb72a78add7ffb SHA256 Malicious APK 
61d1375917ce31d4d09966d1931e0ae9669960f932aaca77fab4d3b7c03fb8b6 SHA256 Malicious APK 
b93cc33a5c482950307f9b536a65a8908f39d615744da83b378a82ec599f3867 SHA256 Malicious APK 
4f99eb089ad304e6fc201e83e140a9ee87f088b26eaf68d043f58cd2517f9372 SHA256 Malicious APK 
baf803cf7d8b5cae165af0dbe1ba11cccf2d71ae0fee3592a4ae4c99f968be15 SHA256 Malicious APK 
0ea610f34e8d3606c7b5c0a5cad85e7ab1c91ebdda260b0117757d865624ff86 SHA256 Malicious APK 
a5dce801b88d2a36c9307c54344838c9f17821e9623a9b019301653a5aed1923 SHA256 Malicious APK 
da585d98b5899e4d3c668667fa5d175f8bb8e8085538ca54970901471e132038 SHA256 Malicious APK 
6e1aa2d78106b07e496dd5db40468e8126c6cb7332419cd9bb961bfab9b866b1 SHA256 Malicious APK 
1e56b66509bcce6cf7509a55061f78e090f112d505390fe2398ddf05423cab66 SHA256 Malicious APK 
43a6f2b86a2d0b295e2e06dc0e84c8274e3256d4ef8440b775cec460db9f67d3 SHA256 Malicious APK 
c9d3f0aa2a5a15b89cd432a4048fca52c5e0559d23cb4de334fef20bdf1ef148 SHA256 Malicious APK 
28fb52951bf9cfca8ce26eb02e8970acc357b18e172785f0acc3d9cdd3f9a184 SHA256 Malicious APK 
5b6bf2b718b6b91f6604653c0392a17ec2e06a480106f7af995b24134bbe49bb SHA256 Malicious APK 
0d2161d34d7751955bacce39772b951b94d8c25abde4abd4aff09afbb0412ed8 SHA256 Malicious APK 
c4ba42f8c70235bd85e91171b2038fda64fffb3349b9b37cc802318ed2a9e377 SHA256 Malicious APK 
hxxp://172.247.35[.]189:6666/ URL C&C URL on which malware communicates  
hxxp://210902[.]top/ URL Proxy server URL 

​​​​About Us   

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.    

Scroll to Top