Japanese security researcher Yusuke Osumi has discovered a new variant of the Android info-stealer called FakeCop that uses an information stealer masquerading as a security app to collect the victims’ personal information.  

After analyzing the malware, the researchers state that the new spyware variant has the following capabilities:

  • Collect SMSs, contacts, accounts information, and apps list
  • Modify or delete SMSs in the device database
  • Collect device hardware information (IMEI)
  • Send SMSs without the user’s knowledge

The spyware asks the user to grant numerous sensitive permissions to perform this functionality, as shown below.

When users are met with such requests by AV software, they are more likely to grant them because security software commonly needs higher privileges to scan and remove detected threats.

Buy Me A Coffee

The malware authors are also using a custom packer to hide the actual behavior of their app while also thwarting static detection.

The malicious code is Bitwise XOR encrypted and stored inside a file in the assets folder, and it can only be unpacked if invoked by a specific app subclass.

Additionally, FakeCop actively scans the device app list, and if any antivirus apps are found, it pushes a notification to the user asking them to uninstall them.

The hardcoded AV solutions that malware will prompt users to remove include Anshin Security, McAfee Security, and the Docomo Anshin Scan.

24 Bugs in Chinese Biometric Devices Can Compromise Data

As for how FakeCop reaches the victims, Cyble’s OSINT research revealed two channels of distribution, one via SMS with malicious links and one relying on phishing emails.

The ‘duckdns.org’ free dynamic DNS used as the delivery mechanism has been previously used for distributing Medusa and Flubot, so it’s possible that the current campaign ties to the same operators.

As a general rule, avoid clicking on URL links that arrive via unsolicited SMS and email, and refrain from installing APK files from outside the Google Play Store.

Additionally, periodically check and confirm that Google Play Protect is active on your device, and always scrutinize permission requests when installing a new app.