• Chinese hackers are targeting Android phones with a new piece of malware that attempts to fool people into clicking on a “missed delivery” text — the kind of text that’s no doubt become especially familiar to people during the coronavirus pandemic as they spend more time at home and ordering items for delivery.
• The text is actually a phishing scam that enables everything from stealing bank details to a user’s contact list.
• It’s being perpetrated, according to cybersecurity researchers, by a group of hackers operating under the “Roaming Mantis” collective.Another day, another nasty new piece of Android malware to be aware of — this time, according to cybersecurity researchers at Cybereason, it’s malware that uses a “missed delivery” text to phish its unsuspecting recipients.
There has been a spate of these incidents lately, involving everything from sketchy apps found in the Google Play Store to the presence of undeletable, malicious files and apps inside Android phones. After investigating this latest malfeasance, Cybereason’s team found that it’s a Chinese-speaking group of hackers operating under the banner of “Roaming Mantis” that’s behind this so-called FakeSpy malware campaign.
“FakeSpy has been in the wild since 2017; this latest campaign indicates that it has become more powerful,” the Cybereason team notes. “Code improvements, new capabilities, anti-emulation techniques, and new, global targets all suggest that this malware is well-maintained by its authors and continues to evolve.”
According to this research, FakeSpy can exfiltrate and send SMS messages, in addition to stealing financial data, reading account information, and contact lists, among other nefarious acts. Users are tricked into clicking a text message informing them of a missed delivery, which steers them to download an Android application package. This is being used to target Android users all over the world, including in the US thanks to the malware’s ability to send messages that purport to be from the US Postal Service.
“Roaming Mantis” sounds the name of a villain from a movie, but it’s actually the moniker of a Chinese threat actor group that’s been around for a few years now and has continued to evolve. They used to mostly target Asian countries but have since expanded to strike at victims across the world.
What can you do to protect yourself? Cybereason senior director and head of threat research Assaf Dahan told ZDNet that people should be suspicious of SMS messages that contain links. “If they do click on a link,” Dahan said, “they need to check the authenticity of the webpage, look for typos or wrong website name, and most of all — avoid downloading apps from unofficial stores.” These practices can protect you from inadvertently downloading malicious apps, getting phished by clicking on dodgy text message links, and more.
source
