Endpoint protection player Cybereason has published new research from its Nocturnus Research team, titled, FakeSpy Masquerades as Postal Service Apps Around the World. The report is an investigation into a new global Android mobile malware campaign targeting users of mobile postal service and transportation apps such as the U.S. Postal Service, Japan Post, Royal Mail (United Kingdom), Le Poste (France) and Deutsche Post (Germany), among others. The campaign is being carried out by the Chinese cybercrime group often referred to as Roaming Mantis.
Roaming Mantis has upgraded FakeSpy malware, which dates back to 2017, to carry out his new campaign. FakeSpy is an information stealer that exfiltrates and sends SMS messages, steals financial and application data, reads account information and contact lists. The malware uses smishing, or SMS phishing, to infiltrate target devices, which is a technique that relies on social engineering. The attackers send fake text messages to lure the victims to click on a malicious link and the link directs them to a malicious web page.
Once installed on an Android device, the application requests permissions so that it may control SMS messages and steal sensitive data on the device, as well as proliferate to other devices in the target device’s contact list. The threat actors use postal services themes in their SMS messages. For example, the user will get a pretext such as “missed delivery” or “your package can be collected at” and with a download link for a fake postal service or delivery service app.
Assaf Dahan, Senior Director, Head of Threat Research, Cybereason, said, “The ultimate motive of Roaming Mantis is financial as they are an organised cybercrime group operating from China for at least three years. It is difficult to estimate how many people are behind it, but it is a well-oiled operation that keeps expanding. We refer to this type of global campaign as ‘spray and pray’ where the threat actors aren’t focused on any particular individual, but they try their luck, casting a rather wide net waiting for large volumes of people to take the bait.”
Earlier this year, Nocturnus discovered Eventbot, new Android mobile malware targeting users of more than 200 financial apps, Paypal Business, Barclays, UniCredit, HSBC, CapitalOne, Santander, TransferWise, Coinbase and many more.
Discussion about this post