AndroidOS_FakeSpy.HRXB

This Trojan Spy arrives via SMS messages.

Arrival Details

This Trojan Spy arrives via SMS messages.

NOTES:

FakeSpy is capable of stealing text messages, as well as account information, contacts, and call records stored in the infected device. FakeSpy can also serve as a vector for a banking trojan.

Once launched, FakeSpy will start monitoring for text messages that the affected device receives. These SMS messages are stolen and uploaded to the server. To send commands via JavaScript, FakeSpy also abuses JavaScript bridge (JavaScriptInterface) to invoke the app’s internal functions by downloading then running JavaScript from a remote website. FakeSpy’s commands include adding contacts to the device, setting it to mute, resetting the device, stealing stored SMS messages and device information, and updating its own configurations.

Apart from information theft, FakeSpy can also check for banking-related applications installed in the device. If they match FakeSpy’s apps of interest, they are replaced with counterfeit/repackaged versions that imitate the user interfaces (UI) of their legitimate counterparts. It phishes for the users’ accounts by ironically notifying users that they need to key in their credentials due to upgrades made on the app to address information leaks. It also warns users that their account will be locked. The stolen information is sent to the server once the users click on the login button. Besides online banking apps, it also checks for apps used for digital currencies trading and e-commerce.