A new Android malware more powerful than its previous version is currently attacking Royal mail, app users. According to Computer Weekly's latest report, the newest version of FakeSpy Android, which was first identified in October 2017, is more dangerous and powerful. The new version targets users of different delivery and postal service apps globally, including Royal Mail, as stated by Ofir Almkias of Cybereason's Nocturnus threat research team.
The report claimed that the new version of FakeSpy is continuously rapidly evolving, with iterations being released on a weekly basis as its developer's code in new obfuscation and evasion techniques and strategies, making the Android malware significantly more dangerous compared to to the previous one, said Almkias.
The new version of the Android malware has initially targeted Android users in South Korea and Japan, exploiting the brands of postal services companies in many other countries such as Germany's Deutsche Post, the U.S. Postal Service, France's La Poste, as well as Royal Mail United Kingdom.
"Code improvements, new capabilities, anti-emulation techniques, and new global target audience all suggest that this malware is well maintained by its authors," wrote Almkias in a disclosure blog.
"Cybereason suspects that Chinese authors created the malware due to many artifacts found during the analysis. The malware packages' names use English spellings of Chinese names with reference to Chinese songs, Chinese food [and] Chinese provinces," added Almkias.
Royal Mail UK and other postal and delivery service apps are the targets of this new Android malware
According to Computer Weekly, registered to a Chinese name linked with a Chinese internet service provider, Almkias wrote that the domains are used for communication and the command-and-control (C2) server. The report stated that for the Android malware to worm its way inside its victim's device, FakeSpy uses SMS phishing or smishing.
Fake texts, generally a notification of a held packaged or missed delivery, are sent by the hackers in this particular malicious campaign, prompting the targets to download an Android application package that purports to be a download of the sender's app by luring them to click on a malicious link.
The victims of the new Android malware will see two pop-up messages, one to ignore battery optimization features and the other prompting them to give the malware permission to read an intercept every SMS sent to the device after it is installed and opened; even if the device is locked and the screen is off, the malware can still operate normally.
The new Android malware can exfiltrate data such as phone numbers, contact books, data related to any cryptocurrency or banking apps, and details of SMS messages. Any information that may contain authentication certificates related to mobile banking in the national public keys infrastructure (NPKI) folder is also included.