Cybereason published new research from its Nocturnus Research team, titled, FakeSpy Masquerades as Postal Service Apps Around the World, an investigation into a new global Android mobile malware campaign targeting users of mobile postal service and transportation apps such as the U.S. Postal Service, Japan Post, Royal Mail (United Kingdom), Le Poste (France) and Deutsche Post (Germany), amongst others. The campaign is being carried out by the Chinese cybercrime group often referred to as Roaming Mantis.
Roaming Mantis has upgraded FakeSpy malware, which dates back to 2017, to carry out his new campaign. FakeSpy is an information stealer that exfiltrates and sends SMS messages to steal financial and application data, reads account information, and contact lists. The malware uses smishing, or SMS phishing, to infiltrate target devices, which is a technique that relies on social engineering. The attackers send fake text messages to lure the victims to click on a malicious link and the link directs them to a malicious web page.
Once installed on an Android device, the application requests permissions so that it may control SMS messages and steal sensitive data on the device, as well as proliferate to other devices in the target device’s contact list. The threat actors use postal service themes in their SMS messages. For example, the user will get a pretext such as “missed delivery” or “your package can be collected at” and with a download link for a fake postal service or delivery service app.
“The ultimate motive of Roaming Mantis is financial as they are an organized cybercrime group operating from China for at least 3 years. It is difficult to estimate how many people are behind it, but it is a well-oiled operation that keeps expanding. We refer to this type of global campaign as ‘spray and pray’ where the threat actors aren’t focused on any particular individual but they try their luck, casting a rather wide net waiting for large volumes of people to take the bait,” said Assaf Dahan, Senior Director, Head of Threat Research, Cybereason.