Click to Skip Ad
Closing in...

An old piece of Android malware is back and more dangerous than before

Published Jul 3rd, 2020 10:01PM EDT
Android Malware
Image: Gorodenkoff/Shutterstock

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

  • An old piece of Android malware called FakeSpy has resurfaced and is now targeting users across the United States and Western Europe.
  • The app is capable of stealing a user’s text messages, banking information, and app data.
  • The malware spreads via a text message that seemingly comes from a local post office and instructs users to download an app disguised as a legitimate post office app.

An old and dangerous piece of Android malware called FakeSpy has resurfaced in a big way, according to a new report from Cybereason. FakeSpy, which was first discovered by security researchers nearly three years ago, is a particularly nasty piece of malware designed to steal a user’s text messages, financial data, bank login information, app data, contact lists, and more.

In its original incarnation, the app targeted users in South Korea and Japan. Recently, though, the app has become far more ambitious and is now starting to target users across the globe. Some of the countries currently targeted by the malware include China, France, Germany, the UK, and the United States. The current iteration of FakeSpy is also said to be more powerful and sophisticated than the original version, which is to say Android users should be particularly vigilant about avoiding suspicious messages.

The manner by which FakeSpy spreads is quite clever and begins with an SMS message that claims to be from a local post office. The message claims that the post office tried to deliver a package but was unable to do so because a user wasn’t home. It then provides a link users can click which directs them to download an app disguised as a legitimate postal service app. Once installed on a device, the app will then send the fake text, along with the malicious link, to a user’s entire contact list.

Cybereason adds:

The fake applications are built using WebView, a popular extension of Android’s View class that lets the developer show a webpage. FakeSpy uses this view to redirect users to the original post office carrier webpage on launch of the application, continuing the deception. This allows the application to appear legitimate, especially given these applications icons and user interface.

Once an unsuspecting user downloads the fake app, the malware essentially has full access to a user’s device. Among other things, it can read text messages, send text messages, access contact information, and read from external storage. Beyond that, the app also makes a point to look for any banking or cryptocurrency-related apps so that it can steal login information.

As to where the malware originated from, researchers claim that all signs point to a Chinese group known as “Roaming Mantis.”

Cybereason concludes:

The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well-equipped. These improvements render FakeSpy one of the most powerful information stealers on the market. We anticipate this malware to continue to evolve with additional new features; the only question now is when we will see the next wave.

While it should go without saying at this point, Android users should remain suspicious of any text message that comes from an unfamiliar sender.

Yoni Heisler Contributing Writer

Yoni Heisler has been writing about Apple and the tech industry at large with over 15 years of experience. A life long expert Mac user and Apple expert, his writing has appeared in Edible Apple, Network World, MacLife, Macworld UK, and TUAW.

When not analyzing the latest happenings with Apple, Yoni enjoys catching Improv shows in Chicago, playing soccer, and cultivating new TV show addictions.