Beware using postal and parcel apps

As we’re ordering more online, the attack vectors for hackers become more obvious

Cybercriminals know how to capitalize on changes in society – and the resurgence of a long-feared strain of mobile malware shows that hackers are adapting to the way we’re all shopping. FakeSpy, an Android-based mobile malware strain that first emerged in October 2017, has seen a comeback in recent months.

When it first came to fame in 2017, FakeSpy initially targeted users in South Korea and Japan. But the new use of it is going global, according to cybersecurity researchers Cybereason Nocturnus: it’s been seen in China, Taiwan, France, Switzerland, Germany, the United Kingdom, and the United States.

The malware is being hidden in apps that purport to be those supported by postal services and courier companies operating in those countries, requesting permission to access SMS messages and other data, including contact lists. 

Hitting people where it hurts

The vector of attack is a logical one, given the strange times in which we live. Worldwide lockdowns and the forced closure of many non-essential shops has resulted in a mass migration to online shopping.

The UK’s Office for National Statistics (ONS) shows that the share of retail spending online jumped from around 19% in 2019 to 33.4% in May 2020 – the highest the ONS has ever recorded. At the same time, online shopping has increased everywhere else, including a 20% year-on-year jump in the United States as the coronavirus really hit the country.

All those additional parcels purchased online have to be delivered, and customers love to track them. As a result, we’re seeing more reliance on tracking apps – which is where the cybercriminals have spotted their point of entry.

Souped-up malware

But the modern version of FakeSpy isn’t just the same old malware repurposed to meet the vulnerabilities of these times. It’s been improved upon, and Cybereason says that Roaming Mantis, the Chinese-speaking group believed to be behind the malware, are updating the malware weekly to avoid detection.

FakeSpy gets onto devices through a smishing attack – or SMS phishing. Users receive a text message pretending to be from a postal service encouraging them to download the malware-laden app in order to track their package. Once they do, the malware “exfiltrates and sends SMS messages, steals financial and application data, reads account information and contact lists, and more,” according to the researchers.

Among the companies whose apps have been spoofed by the FakeSpy malware are Deutsche Post, USPS (the US postal service), Britain’s Royal Mail, France’s La Poste, and Swiss Post. 

Real websites, fake apps

The app takes advantage of Android’s WebView extension to the View class, allowing users to be more easily conned. The apps containing the malware redirect users using the WebView extension to the legitimate company’s websites when they launch the app, all while hiding the secretion away of data that’s going on behind the scenes.

The information that the malware takes away from a user’s phone is relatively comprehensive. It looks at a phone’s number, contacts, text messages, and more, and can be used to develop a pattern of behavior that could then be used for more serious attacks.

The link to a Chinese-speaking hacking collective is perhaps most concerning for those watching developments here. The expansion of the target markets from Asia to the West is also a worry for those watching how things develop, as it indicates increasing attempts to spread this malware beyond the immediate area around China.The advice for how to remain safe while adapting to the new norm of online deliveries and the companies’ associated apps is simple: stick solely to official app stores, rather than relying on potentially shady links delivered in SMS messages.