The Cybereason Nocturnus team is investigating a new campaign involving FakeSpy, an Android mobile malware that emerged around October 2017. FakeSpy is an information stealer used to steal SMS messages, send SMS messages, steal financial data, read account information and contact lists, steal application data, and do much more.
FakeSpy first targeted South Korean and Japanese speakers. However, it has begun to target users all around the world, especially users in countries like China, Taiwan, France, Switzerland, Germany, United Kingdom, United States, and others.
FakeSpy masquerades as legitimate postal service apps and transportation services in order to gain the users’ trust. Once installed, the application requests permissions so that it may control SMS messages and steal sensitive data on the device, as well as proliferate to other devices in the target device’s contact list.
Cybereason’s investigation shows that the threat actor behind the FakeSpy campaign is a Chinese-speaking group dubbed “Roaming Mantis”, a group that has led similar campaigns.
FakeSpy has been in the wild since 2017; this latest campaign indicates that it has become more powerful. Code improvements, new capabilities, anti-emulation techniques, and new, global targets all suggest that this malware is well-maintained by its authors and continues to evolve.