FakeSpy Malware Targeting Android Users in Japan and Korea


FakeSpy Malware was first discovered by Trend Micro researchers in June 2018. FakeSpy aimed of compromising Android devices to purloin text messages, contacts, call records & bank account information of the users. Cyber criminals used SMS as a doorway to plunge Trojan in potential android devices. To your surprise, FakeSpy Malware also serves as a course for Banking Trojan.

FakeSpy t4

Based on the implications, researchers found that this Malware Campaign targeted South Korean users & has been in active mode since October 2017.

The widespread Malware Campaign is now heavily vicious towards Japan & Korean Android Users and the bad guys smartly tuned the fake spy to modify its configuration as it conquers several countries.

Onset of Attack

In the event, the targeted victims receive a mobile text message disguising as a legit message from Japan based Logistics Company. A mere click on the link in the SMS would redirect the innocent users to malignant web-page. The infected page contains a script that pop-ups after a click on any toggle on the site.

FakeSpy t1

Unaware of the threat bestowed in the site, users would click on the page, which paves a way to the download of malicious Android Application Package (APK).

Following this accidental download, FakeSpy invades the infected device for banking apps. If a banking app is found, malware replaces the legit app with duplicate/infected versions that mirrors the interface.  Post this replacement, malware launches the process where banking credentials are required. Malware steals username, PIN number & passwords when the victim enters the required information.

Surprisingly, this malware is also capable of creating & sending malicious Text Messages to other devices. It smartly gathers the list of applications installed in the android devices & sends it to attackers C&C server.

Analyzing the Android Trojan

This Android malware possesses various data-stealing capabilities & targeting Japanese & Korean users primarily. Its uses social engineering techniques & gains access to victim’s personal information like contact list, text messages & banking details. Once the Android device is infected, the malware will start communing with hacker’s C&C server & sends the entire contact list. This will further send the malicious links to all the numbers & infect other devices.

FakeSpy t2

In order to send commands via JavaScript, FakeSpy abuses JavaScript Bridge to invoke apps internal commands such as setting the infected device to mute, reset the device & update its configuration file. It accesses the internal commands by downloading & then running JavaScript from a remote website.

FakeSpy as Banking Trojan Vector

Apart from data-theft, FakeSpy checks the infected device for banking-related apps & CryptoCurrency trading apps, researchers added. Targeted apps are replaced with repacked versions & make way for attackers to steal user’s credentials & attempt online banking fraud.

The malware phishes victim’s account & warns them to “key” in their credentials in order to avoid account block due to upgrades made in the app to consign information leakage.

The initial sample analysis discovered the malign domain name as “hxxp://sagawa-ba.com”. This fake site poses as express delivery service, transportation, clothing retailer, mobile telecommunications company to Japanese users while it appears as an app for various local financial services to Korean users.

Escaping Tracking Down

FakeSpy developers use distinctive approaches to hide & update the C&C servers. The malware exploits the social media by posting the IP addresses on a Twitter profile whose administrators are altered smartly on a regular basis. The IP addresses start with ^^ and ends with $$. After a malware is launched, it accesses the Twitter page & interprets its content to recover C2s IP address. In the similar way, FakeSpy developers are corrupting forums & other open-source dynamic tools.

The C&C server address configured in apps of infected devices is updated at least once in a day that one may escape disclosure.

FakeSpy t3

According to analysis done by cyber security experts, hackers behind FakeSpy are active & have registered hundreds of domains that portray as Japanese post service. 347 domains have been detected so far with the name of the postal service- ‘sagawa-ba.com’

Sadly, FakeSpy Malware seems to be in development & the malware campaign could soon expand to infect users in other parts of the world, provided the pace at which the hackers are continually altering FakeSpy’s configuration.


  1. Always use recognized App Store to download apps for your mobile devices (Google Play Store, Apple iTunes).
  2. Install a renowned mobile anti-virus package for your Smartphone & enable it.
Virus Removal Guidelines