Technology, Vendor

Cybereason uncovers mobile malware targeting postal service app users

Cybereason has recently published a new research, which uncovered a mobile malware targeting users of mobile postal service and transportation apps.

The new research from its Nocturnus Research team, titled, FakeSpy Masquerades as Postal Service Apps Around the World, an investigation into a new global Android mobile malware campaign targeting users of mobile postal service and transportation apps such as the US Postal Service, Japan Post, Royal Mail (United Kingdom), Le Poste (France) and Deutsche Post (Germany), amongst others. The campaign is being carried out by the Chinese cyber crime group often referred to as Roaming Mantis.

Assaf Dahan, Cybereason

Roaming Mantis has upgraded FakeSpy malware, which dates back to 2017, to carry out his new campaign. FakeSpy is an information stealer that exfiltrates and sends SMS messages, steals financial and application data, reads account information and contact lists. The malware uses smishing, or SMS phishing, to infiltrate target devices, which is a technique that relies on social engineering. The attackers send fake text messages to lure the victims to click on a malicious link and the link directs them to a malicious web page.

Once installed on an Android device, the application requests permissions so that it may control SMS messages and steal sensitive data on the device, as well as proliferate to other devices in the target device’s contact list. The threat actors use postal services themes in their SMS messages. For example, the user will get a pretext such as “missed delivery” or “your package can be collected at” and with a download link for a fake postal service or delivery service app.

“The ultimate motive of Roaming Mantis is financial as they are an organised cybercrime group operating from China for at least 3 years. It is difficult to estimate how many people are behind it, but it is a well oiled operation that keeps expanding. We refer to this type of global campaign as ‘spray and pray’ where the threat actors aren’t focused on any particular individual but they try their luck, casting a rather wide net  waiting for large volumes of people to take the bait,” said Assaf Dahan, Senior Director, Head of Threat Research, Cybereason.

Earlier this year, Nocturnus discovered Eventbot, new Android mobile malware targeting users of more than 200 financial apps, Paypal Business, Barclays, UniCredit, HSBC, CapitalOne, Santander, TransferWise, Coinbase and many more.



Previous ArticleNext Article


The free newsletter covering the top industry headlines