Two years ago, when researchers at antivirus company Trend Micro reported on a new mobile data-stealing kit known as FakeSpy, they warned there could be more to come from the hackers.
Directing the Android-focused malware at users outside of South Korea and Japan, where it was discovered, would simply be a matter of reconfiguring the code, the researchers said.
That’s exactly what happened.
On Wednesday, another set of researchers, from security company Cybereason, revealed how FakeSpy’s operators have been impersonating various postal services in attacks on users in the U.S., China and Europe in the last several weeks. The hackers have taken aim at thousands of users with the help of phony text messages that, if clicked, install code capable of siphoning off financial data from mobile applications.
The findings show how, with an effective mobile malware kit written, hackers can tweak the code to target different parts of the world and see which attacks are the most profitable. And by sending text messages, they don’t have to break into the Google Play Store to plant their code.
“All the new FakeSpy versions contain the same code DNA with minor changes,” Cybereason researchers wrote in a blog.
The attackers have masqueraded as the U.S. Postal Service, along with couriers from Germany to Britain to Taiwan, according to Cybereason. The text messages tell users they have a package for pickup, but of course there’s nothing of the sort. FakeSpy’s operators appear to be looking for data they can steal and monetize.
Posing as USPS can be an effective way for scammers to get their targets’ attention. Another set of hackers used the tactic to try to send financial data-stealing malware to thousands of users, email security company Proofpoint said in November.
The USPS’s cybercrime unit investigates cases in which criminals impersonate the postal service with text messages or emails, an agency spokesperson said. The spokesperson declined to comment when asked if the agency was aware of the FakeSpy campaign.
Based on clues in the code and infrastructure, Assaf Dahan, Cybereason’s head of threat research, believes FakeSpy’s operatives are based in China. His team traced one of the malicious domains used in the operation to a Chinese internet service provider. (Researchers at Fortinet, another security vendor, have found similar evidence.)
While it’s unclear how many people clicked on the malicious links, FakeSpy’s operators have been busy. Of the top five Android threats, FakeSpy accounts for 39% of attacks, according to Trend Micro.
“It’s a well-oiled operation that keeps expanding,” Dahan told CyberScoop. “We see new developments and features added to the code all the time, so my guess is that business is good for them.”