Communication Accommodation Theory Kaylyn Benton.pptx
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malware crime gangs】
1. TLP:WHITE
From FakeSpy to Guerilla
Understanding Android Malware Crime Gangs
Fyodor Yarochkin (with help of Paul Pajeres, Vladimir Kropotov, Ecular Xu,
Zhengyu Dong)
Trend Micro Research
3. Copyright 2021 Trend Micro Inc.
3 TLP:WHITE
Why Mobile phones are targets?
• Mobile often phones ~= ATM cards with
Antennas
• Telecom carriers ~= Banking Institutions
• Less regulated, more connected, easier to break,
compromise and remotely control
4. Copyright 2021 Trend Micro Inc.
4 TLP:WHITE
Reasons for Android Phones being targetd
1. Money theft
2. Cyber espionage
3. Data breaches
4. Ransomware (targeted)
5. Crypto currencies
5. Copyright 2019 Trend Micro Inc.
5 TLP:WHITE
Geographical specifics
• Many online IDs are bound to a phone in
China
• Mobile Phones allow balance transfers in a
number of countries including china, india
• Verified phone numbers in some countries
allow caller impersonation
6. Copyright 2021 Trend Micro Inc.
6 TLP:WHITE
Criminals interest in android platforms?
• Money (banking)
• Virtual currencies
• Access to other apps and accounts in bulk
• Access to phone numbers
8. Copyright 2021 Trend Micro Inc.
8 TLP:WHITE
Lets take a look at some examples
• Fakespy
• Anubis
• Guerilla
9. Copyright 2021 Trend Micro Inc.
9 TLP:WHITE
A good illustration what hackers want from a
phone
• Mail
• Storage
• Finance
• Online accounts
• Crypto currencies
11. Copyright 2021 Trend Micro Inc.
11 TLP:WHITE
How It Works
SMS with malicious link
Poses as courier service,
Chrome update, others.
Prompt to install
malicious iOS profile
to configure Wifi, email
accounts, etc
Prompts to install
malicious Android
app
Display Apple phishing
or illegal Casino site
Monitor device activity
like SMS, device info,
router, mobile transactions
Connect to SNS account
Decrypt content and reveal
real C2 server
Send and receive information
Spread SMS to contacts
12. Copyright 2021 Trend Micro Inc.
12 TLP:WHITE
Lifecycle of Fakespy Apps
Oct 2017
Dec 2017 Jun 2018
Korean banks
(NH Capital,
KB Kookmin,
Nonghyup Bank)
Apr 2019
Oct
2019
2,000+ fake apps
up to Nov
Label: 日本郵便
Aug
2019
5,400+
fake apps
up to Nov
Label: DHL
Paket 4 fake apps
Label: Die Post
Jul
2019
1,400+ fake apps
up to Nov
Label: 智能宅急
便
Started Feb 2016
around 800+ fake
apps until Aug 2019
1200+ fake apps
in Sep 2019 to Nov
Label: CJ 대한통운
Sep
2019
20,000+ fake apps
since 2015
Label: Chrome
600+ fake apps
since 2017
Label: Facebook
21,600+ fake apps
since 2017
Label: 佐川急便
Xloader started Jun 2018
Fakespy started Dec 2017
70+ fake apps
Oct & Nov 2019
Label: ヤマト運輸
50+ fake apps
Mar to Sep 2019
Label: SEX kr porn
2 fake app MyDocomo
800+ fake apps
Mar to Oct 2019
Label: Anshin Scan
13. Copyright 2019 Trend Micro Inc.
13 TLP:WHITE
Use of social networks as covert channel
14. Copyright 2021 Trend Micro Inc.
14 TLP:WHITE
Fakespy
• Fakespy does not target banks but
• collects contact information, intercepts SMS
• and propagates via SMS. Common lures are
• Japan Post, Sagawa Express and Chrome
15. Copyright 2021 Trend Micro Inc.
15 TLP:WHITE
Fakespy derrivatives
• FakeOps: targets europe (appeared during Covid)
• Xloader: banks in Japan
17. Copyright 2021 Trend Micro Inc.
17 TLP:WHITE
Victims and Infrastrcture
• Asia: Korea, Japan, Singapore
• Some countries in Europe
• Infrastructure: geographically diverse