A new variant of the Android info-stealer called FakeCop has been spotted by Japanese security researchers, who warn that the distribution of the malicious APK is picking up pace.
First spotted by Japanese security researcher Yusuke Osumi last week, the malware is being distributed in phishing campaigns impersonating KDDI.
Furthermore, the malware is only detected by 22 out of 62 AV engines on VirusTotal, showing a concerted effort by the threat actor to remain hidden.
45.116.13[.]12 (AS4785 xTOM, JP)
(AS21859 ZenLayer) pic.twitter.com/nCsq31Dccw
— Osumi, Yusuke (@ozuma5119) October 19, 2021
Masked as a popular security tool
In a new report by cybersecurity firm Cyble, researchers have dubbed the malware ‘FakeCop’ and state it is masquerading as ‘Anshin Security,’ a popular antivirus product in Japan.
After analyzing the malware, the researchers state that the new spyware variant has the following capabilities:
- Collect SMSs, contacts, accounts information, and apps list
- Modify or delete SMSs in the device database
- Collect device hardware information (IMEI)
- Send SMSs without the user’s knowledge
The spyware asks the user to grant numerous sensitive permissions to perform this functionality, as shown below.
When users are met with such requests by AV software, they are more likely to grant them because security software commonly needs higher privileges to scan and remove detected threats.
Attempts to evade detection
The malware authors are also using a custom packer to hide the actual behavior of their app while also thwarting static detection.
The malicious code is Bitwise XOR encrypted and stored inside a file in the assets folder, and it can only be unpacked if invoked by a specific app subclass.
Additionally, FakeCop actively scans the device app list, and if any antivirus apps are found, it pushes a notification to the user asking them to uninstall them.
The hardcoded AV solutions that malware will prompt users to remove include Anshin Security, McAfee Security, and the Docomo Anshin Scan.
As for how FakeCop reaches the victims, Cyble’s OSINT research revealed two channels of distribution, one via SMS with malicious links and one relying on phishing emails.
The ‘duckdns.org’ free dynamic DNS used as the delivery mechanism has been previously used for distributing Medusa and Flubot, so it’s possible that the current campaign ties to the same operators.
As a general rule, avoid clicking on URL links that arrive via unsolicited SMS and email, and refrain from installing APK files from outside the Google Play Store.
Additionally, periodically check and confirm that Google Play Protect is active on your device, and always scrutinize permission requests when installing a new app.