Starting late December 2020, IBM Trusteer’s mobile threat research lab discovered and began closely tracking a new Android banking malware that appeared to be mostly targeting users in Spain. Per our analysis, the purpose of the malware is to steal credit card numbers, bank account credentials and other private information from its victims. Once a user is infected, FakeChat operators can steal all the necessary data to successfully defraud the user. IBM Trusteer customers received an early release of this report.
The code underpinning this new malware, which we dubbed FakeChat, does not rely on previously released malware. It was written from scratch, and its authors appear to be part of a well-established cyber crime group that probably migrated from distributing other financial malware. Through the first quarter of 2021, as the malware began spreading more aggressively, we noticed that other research teams also found and named it. Most notably, it was blogged about as Cabassous and FluBot.
The group behind this new financial malware appears sophisticated. In addition to having the technical skills required to write malware for Android-based devices, they also have access to malware distribution channels in the targeted countries. In fact, this malware has been growing faster, in terms of infection numbers, than any other financial mobile malware that our lab analyzed in the past five years. In addition to having extremely successful malware distribution channels, FakeChat operators have also tried to create a robust server-side infrastructure by using a domain generation algorithm (DGA) to create new command and control (C2) domains.
Ready for action from the very first FakeChat campaign we identified, the group worked to keep the malware stealthy and ride the rising tides of online shopping that have been booming during the COVID-19 pandemic. The first campaign we discovered distributed the malware under the guise of an application named Correos, the state-owned company responsible for providing postal service in Spain. It then tried to impersonate other apps, such as DHL, FedEx and MRW in delivery-themed campaigns. Behind the branding, almost all infection package names use the Android package (APK) name that WeChat employs (com.tencent.mm or com.tencent.mobileqq), which is what made our team call this malware FakeChat.
During our research, we were able to obtain both development and production versions of the malware’s code, which enabled us to gain deeper insights into FakeChat’s operation and genealogy.
FakeChat’s Infection Tactic
Most FakeChat victims are infected by a SMiShing campaign in which a phishing short message service (SMS) text leads the victim to a hacked website or other infection zone, which presents a social engineering page. The page asks the victim to download an application they supposedly need in order to track/receive their package, concealing the FakeChat infection package. After the victim clicks the download button, the malware is downloaded to the device.
Figure 1: Instructions in Spanish on how to turn on Android’s ‘install from unknown’ feature, so that malware can be installed from any source
Infection Campaign Stats
IBM Trusteer researchers monitored FakeChat infection campaigns, all of which used postal services or delivery as their main lure. Starting with the successful Correros-themed campaign, the second campaign to occur was a smaller DHL-themed campaign. The third campaign, FedEx, was the largest we have observed to date. The fourth and most recent featured MRW as the lure.
Figure 2: FakeChat campaign peaks between Dec.17-20 and April 5-21 in Spain indicating infections per million end-users (Source: IBM Trusteer)
Figure 3: FakeChat campaign sizes in Spain Q1 2021 (Source: IBM Trusteer)
FakeChat vs. Other Financial Android Malware in Spain
Figure 4: Financial malware campaigns targeting Spain in Q1 2021 (Source: IBM Trusteer)
Accessibility Privilege Requested
After the malware installs, the victim sees one of the following accessibility request screens (depending on the campaign) requesting them to grant accessibility privileges to the malware app.
Figure 5: FakeChat requires the victim to approve accessibility privileges on the device
Automatically Grant Permissions With Accessibility Service
After the victim grants accessibility privileges to the malware, FakeChat grants itself all the other permissions it needs to conduct malicious activity without the victim’s knowledge and without the victim needing to accept further permission requests.
Figure 6: FakeChat permissions
If the malware is installed on a device with Android 10 or earlier, it hides its icon for stealth.
Another stealth method that was found in the malware is the ability to disable Play Protect and prevent uninstallation by the device’s owner.
FakeChat Set as Default SMS App
After it is granted accessibility privileges by the victim, FakeChat also sets itself as the default SMS app, which enables it to hijack incoming SMS messages and forward them to the attacker. In cases where an additional authentication or authorization code is required for the attackers to finalize fraudulent activity and where the code is sent via SMS, the malware can steal it from the infected device.
By grabbing the SMS code, FakeChat can compromise SMS-based two-factor authentication. In addition, FakeChat can mute all SMS notifications to keep the victims unaware of the fraudulent activity taking place in their account.
FakeChat’s Fraud Method
FakeChat is part of the overlay malware category. It aims to phish user credentials by presenting a fake overlay login screen on top of the legitimate app to trick the user into submitting their password on the wrong activity screen.
To know when a victim opens a targeted app, FakeChat keeps tabs on the user’s activities. Throughout its ongoing operations, FakeChat checks for installed applications and dynamically fetches a matching HTML overlay from its C2 server. It constantly monitors for the launch of targeted banking applications on the infected device.
FakeChat fetches the overlay screen in real time. To get the right overlay screen from the C2, the malware first sends a list of all applications installed on the victim’s device. The C2 replies with a list of applications for which it has a match. The malware retrieves the matching HTML overlay for each ‘injectable’ application from the C2 and presents it to the user once the targeted application is launched.
The overlay screen, hiding the original login page from the legitimate app, typically requests the victim’s online banking credentials, credit card details or login details for other targeted accounts. The malware overlay closely resembles the legitimate application’s look and feel, making it less likely a user would suspect it. Once the malware app receives the user’s credentials, it sends the details to the C2 server.
Figure 7: FakeChat phishing asking for payment card details
Figure 8: FakeChat phishing asking for mobile banking credentials
FakeChat’s C2 Commands
Once it is up and running on infected devices, FakeChat can handle various commands from the attacker’s server. These commands allow the malware to run its operations, interact with the device, run additional files and install apps, grab SMS content and exfiltrate data.
A more complete list of commands appears below:
- 0 – GET_CONTACTS — Upload all contacts to the C2.
- 1 – SMS_INT_TOGGLE — If the SMS_INT_TOGGLE flag is turned on it sends every SMS to the C2.
- 2 – NOTIF_INT_TOGGLE — If the NOTIF_INT_TOGGLE flag is turned on it sends every notification to the C2.
- 3 – OPEN_URL — Open an arbitrary URL with WebView.
- 4 – DISABLE_PLAY_PROTECT — Disable Play Protect to prevent malware scanning on the device.
- 5 – CARD_BLOCK — Start the overlay card activity. (Figure 7.)
- 6 – SEND_SMS — Send an arbitrary SMS from the victim’s device.
- 7 – RELOAD_INJECTS — If the C2 got new overlays to a new bank it can update all the overlays in the malware.
- 8 – RETRY_INJECT — Clear flag value saved in shared preferences. Can be used to request to show card activity overlay again.
- 9 – RUN_USSD—- Execute a USSD command by performing a call.
- 10 – UNINSTALL_APP — Uninstall an arbitrary application.
- 11 – BLOCK — Hide all notifications shown to the user.
- 12 – SOCKS — Transform the infected device to a SOCKS proxy server.
- 13 – UPLOAD_SMS — Upload all SMS from the device to the C2.
Command Evolution per FakeChat Bot Version
IBM Trusteer researchers studied the progression and capabilities of FakeChat for each bot version and compared it to the previous ones. The following table presents the features added to FakeChat over time.
Table 1: FakeChat bot command evolution
FakeChat’s Notable Malware Features
Bot Configuration and Versioning
After unpacking and string de-obfuscation, FakeChat’s malware configuration is saved alongside other data in a ProgConfig class. We can see the bot version, partial server path, shared preference keys, RSA key, FakeChat commands and some permissions all in the same place.
Figure 9: Bot configuration
Use of DGA to Communicate with C2
The malware uses a DGA to generate new domain names for the C2 server. The domains are not fully random and are determined by a seed that is generated based on current year and month parameters. The code for the current DGA yields 5,000 new domains (versus 2,000 in older versions) every month.
In earlier releases of FakeChat’s code version 3.4, the malware serially tried to communicate with those pre-generated C2 domains. Our assumption is that due to security researchers discovering the method, the malware authors have decided to harden their infrastructure against sinkholing by attempting to communicate with the C2 domains in a random order (and also generate 5,000 domains instead of 2,000).
Figure 10: FakeChat’s DGA in version 3.8
Figure 11: FakeChat’s DGA — Seed generation code
FakeChat’s Impending Key Logger Capabilities
In more recent versions of FakeChat, the authors started to develop a new capability to steal user credentials from other apps on the device. This capability is still not fully fleshed out. For now, the malware abuses the accessibility privileges to grab text from different applications.
We believe that developing keylogging capabilities is evidence that the authors intend to keep evolving the malware’s data exfiltration ability and that they may be searching for new ways to steal bank credentials from the victim, even without having overlays for all banks and services that users may enjoy on their smartphones.
Figure 12: Get front app text in MyAccessibility class
OpSec: String Obfuscation and Packer Rotation
Malware authors often attempt to hinder the efforts of outsiders to reverse-engineer their code. FakeChat does not feature much in that area. It does use publicly available string obfuscation, the Paranoid Gradle plugin (see Paranoid), to obfuscate strings in the APK. It also uses different packers for different bot versions.
Bot Error Monitoring and Exception Handling
Malware authors can monitor every crash that the malware has in order to improve the bot. Every exception is sent automatically to the C2 server.
Figure 13: MyExceptionHandler class
REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
Starting in Android 6, the operating system preserves battery life by limiting apps that can work in the background. FakeChat abuses accessibility privileges to grant itself with REQUEST_IGNORE_BATTERY_OPTIMIZATIONS to keep the device alive even when the victim is not actively using it.
Figure 14: FakeChat bypass of automatic battery optimization
Blocking the Uninstall
Any active window that includes the text FluBot and is not Play Protect is minimized by the malware to prevent the user from uninstalling the malware.
Figure 15: FakeChat hides uninstall option from the user
A community tool that can remove the FakeChat app from infected devices is the application malninstall. To that effect, FakeChat’s authors left the following message in Russian for those who wrote the removal tool.
Figure 16: Translates to “Keep another $25, boy :))”
Do Not Operate on Post-Soviet Block Phones
FakeChat is programmed to halt any malicious activity on devices that use the following languages: Belarusian, Armenian, Kazakh, Kirghiz, Romanian, Moldavian, Russian, Tajik, Ukraine and Uzbekistani. When malware authors specify this sort of avoidance, it is typically indicative they are potentially located in these regions and would rather avoid local victims to prevent issues with local law enforcement.
Figure 17: FakeChat instruction to terminate when language code matches specific settings
The End of FakeChat?
On March 5, 2021, some of the FakeChat local operators in Spain were arrested, hinting at the possible end of the app’s development and spreading efforts.
Figure 18: Notice quoting Catalonian police (obtained via Twitter)
However, our telemetry continues to monitor this malware more than a month past the arrest, and it is apparent that FakeChat’s operation took a hit but has kept on going.
In early April, Trusteer researchers did detect new versions of the FakeChat spreading outside of Spain and infecting users in Poland, Germany and Hungary, to name a few countries. We believe this malware will continue to evolve and spread further in the wild in the second quarter of 2021.
Mapping to MITRE Mobile Attack Techniques
Scroll to view full table
Figure 19: FakeChat fraud-facilitating features
IOCs
List of Related Package Names
- com.tencent.mm
- com.tencent.mobileqq
- com.example.myapplicationtest — developer versions
- com.tencent.mn
- com.eg.android.AlipayGphone
- com.article.andreport
- com.candy.sagagames
- com.cany.withspice
- com.chinamarkets.android
- com.multiple.objectives
- com.plasma.liquid
- com.redtube.music
- com.resouce.cloud
- com.black.andwhite
- com.flights.bookings
- com.marriot.hotel
- narrow.universe.attract
- six.wonder.word
- stadium.network.purpose
- com.serverless.ec
- com.clubbing.photos
- thank.favorite.future
- com.got.games
- com.sugar.browns
- com.purple.cream
- com.invite.qq
- com.pulse.operate
- com.velocity.speed
SHA-256 Samples From This Research
- 9d8b294cacbe9d5303585833b20860eb8da7095c5711c30293a3f56bbf6a9386
version 3.8
- 139fca7c979e272ff720feffcaf686aeb1dd25a6347d34bbaa443031982d5f3e
version 3.7
- 4d22c11a05db23129ec2e1b6929d1c8618a790c9feb210ba66c37a3e0cf93cdb
version 3.6
- c9ab1bce68498551a78c4c28cbbc36e4a827d81a51090d6ed4a5b9ca1fdfb698
version 3.4
- 30937927e8891f8c0fd2c7b6be5fbc5a05011c34a7375e91aad384b82b9e6a67
version 3.1
- 54ac754d804ae252f97f27944866702586ffc72c9411dcd1ed55dcd89072c1f6
version 2.9
- 318e4d4421ce1470da7a23ece3db5e6e4fe9532e07751fc20b1e35d7d7a88ec7
version 2.2
- ff3a604c3ae0df4a1826a75464974a57924d557b5d730d824d55d10e65f89271
version 2.1
- cf68a3c0435ba659a3800ca0a95e7b73b7aca8a897947a7ac2b9e9a5a3428417
version 1.7
- 133e0d4ed98d998b999a0413c10ec408ebeca2c82121683dfb6ccb4d2bd42ece
version 1.3
Dev Versions
- 7714a16a7092e8826134045d9c2dbe6e692dee660d637bd75881ed8e28149e44
version 3.0
- c322a23ff73d843a725174ad064c53c6d053b6788c8f441bbd42033f8bb9290c
version 1.2
- 7bd47e6d52c04adf79255a792008038198196b2dc844b0859c1c8863b0a3ba7c
version 1.0
- 7578fcde78444537997eaee398ea6df119cb80da3b72337192373325538b40d2
version 0.9
- c31c2c2d8749829380ec02afa133ec10a02bbf528e960c6ab944ec945135d7ed
version 0.7
- df5735c6d78b33be53865ab324f3f7ea56622fb1766c590e812534a69cd2e99b
version 0.6
- d3af7d46d491ae625f66451258def5548ee2232d116f77757434dd41f28bac69
version 0.5
- 9d5295c0f36fac45ecda49b6e4baab4ed1dcddcc3655519d07c4c1f2663f9441
version 0.4
- ed7093465f195ab34de246c83ff772aefbe173a335aab0b13b6b03780594fb24
version 0.3
- 496df860522dea6be1268517a3f30d24b6e8e6195cc3c2b49e82ab6c7b31c24e
version 0.2
- 5e0311fb1d8dda6b5da28fa3348f108ffa403f3a3cf5a28fc38b12f3cab680a0
version 0.1
Mobile Security Researcher, IBM Security