Starting late December 2020, IBM Trusteer’s mobile threat research lab discovered and began closely tracking a new Android banking malware that appeared to be mostly targeting users in Spain. Per our analysis, the purpose of the malware is to steal credit card numbers, bank account credentials and other private information from its victims. Once a user is infected, FakeChat operators can steal all the necessary data to successfully defraud the user. IBM Trusteer customers received an early release of this report.

The code underpinning this new malware, which we dubbed FakeChat, does not rely on previously released malware. It was written from scratch, and its authors appear to be part of a well-established cyber crime group that probably migrated from distributing other financial malware. Through the first quarter of 2021, as the malware began spreading more aggressively, we noticed that other research teams also found and named it. Most notably, it was blogged about as Cabassous and FluBot.

The group behind this new financial malware appears sophisticated. In addition to having the technical skills required to write malware for Android-based devices, they also have access to malware distribution channels in the targeted countries. In fact, this malware has been growing faster, in terms of infection numbers, than any other financial mobile malware that our lab analyzed in the past five years. In addition to having extremely successful malware distribution channels, FakeChat operators have also tried to create a robust server-side infrastructure by using a domain generation algorithm (DGA) to create new command and control (C2) domains.

Ready for action from the very first FakeChat campaign we identified, the group worked to keep the malware stealthy and ride the rising tides of online shopping that have been booming during the COVID-19 pandemic. The first campaign we discovered distributed the malware under the guise of an application named Correos, the state-owned company responsible for providing postal service in Spain. It then tried to impersonate other apps, such as DHL, FedEx and MRW in delivery-themed campaigns. Behind the branding, almost all infection package names use the Android package (APK) name that WeChat employs (com.tencent.mm or com.tencent.mobileqq), which is what made our team call this malware FakeChat.

During our research, we were able to obtain both development and production versions of the malware’s code, which enabled us to gain deeper insights into FakeChat’s operation and genealogy.

FakeChat’s Infection Tactic

Most FakeChat victims are infected by a SMiShing campaign in which a phishing short message service (SMS) text leads the victim to a hacked website or other infection zone, which presents a social engineering page. The page asks the victim to download an application they supposedly need in order to track/receive their package, concealing the FakeChat infection package. After the victim clicks the download button, the malware is downloaded to the device.

Figure 1: Instructions in Spanish on how to turn on Android’s ‘install from unknown’ feature, so that malware can be installed from any source

Infection Campaign Stats

IBM Trusteer researchers monitored FakeChat infection campaigns, all of which used postal services or delivery as their main lure. Starting with the successful Correros-themed campaign, the second campaign to occur was a smaller DHL-themed campaign. The third campaign, FedEx, was the largest we have observed to date. The fourth and most recent featured MRW as the lure.

 

Figure 2: FakeChat campaign peaks between Dec.17-20 and April 5-21 in Spain indicating infections per million end-users (Source: IBM Trusteer)

 

Figure 3: FakeChat campaign sizes in Spain Q1 2021 (Source: IBM Trusteer)

FakeChat vs. Other Financial Android Malware in Spain

Figure 4: Financial malware campaigns targeting Spain in Q1 2021 (Source: IBM Trusteer)

Accessibility Privilege Requested

After the malware installs, the victim sees one of the following accessibility request screens (depending on the campaign) requesting them to grant accessibility privileges to the malware app.

Figure 5: FakeChat requires the victim to approve accessibility privileges on the device

Automatically Grant Permissions With Accessibility Service

After the victim grants accessibility privileges to the malware, FakeChat grants itself all the other permissions it needs to conduct malicious activity without the victim’s knowledge and without the victim needing to accept further permission requests.

Figure 6: FakeChat permissions

If the malware is installed on a device with Android 10 or earlier, it hides its icon for stealth.

Another stealth method that was found in the malware is the ability to disable Play Protect and prevent uninstallation by the device’s owner.

FakeChat Set as Default SMS App

After it is granted accessibility privileges by the victim, FakeChat also sets itself as the default SMS app, which enables it to hijack incoming SMS messages and forward them to the attacker. In cases where an additional authentication or authorization code is required for the attackers to finalize fraudulent activity and where the code is sent via SMS, the malware can steal it from the infected device.

By grabbing the SMS code, FakeChat can compromise SMS-based two-factor authentication. In addition, FakeChat can mute all SMS notifications to keep the victims unaware of the fraudulent activity taking place in their account.

FakeChat’s Fraud Method

FakeChat is part of the overlay malware category. It aims to phish user credentials by presenting a fake overlay login screen on top of the legitimate app to trick the user into submitting their password on the wrong activity screen.

To know when a victim opens a targeted app, FakeChat keeps tabs on the user’s activities. Throughout its ongoing operations, FakeChat checks for installed applications and dynamically fetches a matching HTML overlay from its C2 server. It constantly monitors for the launch of targeted banking applications on the infected device.

FakeChat fetches the overlay screen in real time. To get the right overlay screen from the C2, the malware first sends a list of all applications installed on the victim’s device. The C2 replies with a list of applications for which it has a match. The malware retrieves the matching HTML overlay for each ‘injectable’ application from the C2 and presents it to the user once the targeted application is launched.

The overlay screen, hiding the original login page from the legitimate app, typically requests the victim’s online banking credentials, credit card details or login details for other targeted accounts. The malware overlay closely resembles the legitimate application’s look and feel, making it less likely a user would suspect it. Once the malware app receives the user’s credentials, it sends the details to the C2 server.

Figure 7: FakeChat phishing asking for payment card details

Figure 8: FakeChat phishing asking for mobile banking credentials

FakeChat’s C2 Commands

Once it is up and running on infected devices, FakeChat can handle various commands from the attacker’s server. These commands allow the malware to run its operations, interact with the device, run additional files and install apps, grab SMS content and exfiltrate data.

A more complete list of commands appears below:

  • 0 – GET_CONTACTS — Upload all contacts to the C2.
  • 1 – SMS_INT_TOGGLE — If the SMS_INT_TOGGLE flag is turned on it sends every SMS to the C2.
  • 2 – NOTIF_INT_TOGGLE — If the NOTIF_INT_TOGGLE flag is turned on it sends every notification to the C2.
  • 3 – OPEN_URL — Open an arbitrary URL with WebView.
  • 4 – DISABLE_PLAY_PROTECT — Disable Play Protect to prevent malware scanning on the device.
  • 5 – CARD_BLOCK — Start the overlay card activity. (Figure 7.)
  • 6 – SEND_SMS — Send an arbitrary SMS from the victim’s device.
  • 7 – RELOAD_INJECTS — If the C2 got new overlays to a new bank it can update all the overlays in the malware.
  • 8 – RETRY_INJECT — Clear flag value saved in shared preferences. Can be used to request to show card activity overlay again.
  • 9 – RUN_USSD—- Execute a USSD command by performing a call.
  • 10 – UNINSTALL_APP — Uninstall an arbitrary application.
  • 11 – BLOCK — Hide all notifications shown to the user.
  • 12 – SOCKS — Transform the infected device to a SOCKS proxy server.
  • 13 – UPLOAD_SMS — Upload all SMS from the device to the C2.

Command Evolution per FakeChat Bot Version

IBM Trusteer researchers studied the progression and capabilities of FakeChat for each bot version and compared it to the previous ones. The following table presents the features added to FakeChat over time.

Table 1: FakeChat bot command evolution

FakeChat’s Notable Malware Features

Bot Configuration and Versioning

After unpacking and string de-obfuscation, FakeChat’s malware configuration is saved alongside other data in a ProgConfig class. We can see the bot version, partial server path, shared preference keys, RSA key, FakeChat commands and some permissions all in the same place.

Figure 9:  Bot configuration

Use of DGA to Communicate with C2

The malware uses a DGA to generate new domain names for the C2 server. The domains are not fully random and are determined by a seed that is generated based on current year and month parameters. The code for the current DGA yields 5,000 new domains (versus 2,000 in older versions) every month.

In earlier releases of FakeChat’s code version 3.4, the malware serially tried to communicate with those pre-generated C2 domains. Our assumption is that due to security researchers discovering the method, the malware authors have decided to harden their infrastructure against sinkholing by attempting to communicate with the C2 domains in a random order (and also generate 5,000 domains instead of 2,000).

Figure 10: FakeChat’s DGA in version 3.8

Figure 11: FakeChat’s DGA — Seed generation code

FakeChat’s Impending Key Logger Capabilities

In more recent versions of FakeChat, the authors started to develop a new capability to steal user credentials from other apps on the device. This capability is still not fully fleshed out. For now, the malware abuses the accessibility privileges to grab text from different applications.

We believe that developing keylogging capabilities is evidence that the authors intend to keep evolving the malware’s data exfiltration ability and that they may be searching for new ways to steal bank credentials from the victim, even without having overlays for all banks and services that users may enjoy on their smartphones.

Figure 12: Get front app text in MyAccessibility class

OpSec: String Obfuscation and Packer Rotation

Malware authors often attempt to hinder the efforts of outsiders to reverse-engineer their code. FakeChat does not feature much in that area. It does use publicly available string obfuscation, the Paranoid Gradle plugin (see Paranoid), to obfuscate strings in the APK. It also uses different packers for different bot versions.

Bot Error Monitoring and Exception Handling

Malware authors can monitor every crash that the malware has in order to improve the bot. Every exception is sent automatically to the C2 server.

Figure 13: MyExceptionHandler class

REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

Starting in Android 6, the operating system preserves battery life by limiting apps that can work in the background. FakeChat abuses accessibility privileges to grant itself with REQUEST_IGNORE_BATTERY_OPTIMIZATIONS to keep the device alive even when the victim is not actively using it.

Figure 14: FakeChat bypass of automatic battery optimization

Blocking the Uninstall

Any active window that includes the text FluBot and is not Play Protect is minimized by the malware to prevent the user from uninstalling the malware.

Figure 15: FakeChat hides uninstall option from the user

A community tool that can remove the FakeChat app from infected devices is the application malninstall. To that effect, FakeChat’s authors left the following message in Russian for those who wrote the removal tool.

Figure 16: Translates to “Keep another $25, boy :))”

Do Not Operate on Post-Soviet Block Phones

FakeChat is programmed to halt any malicious activity on devices that use the following languages: Belarusian, Armenian, Kazakh, Kirghiz, Romanian, Moldavian, Russian, Tajik, Ukraine and Uzbekistani. When malware authors specify this sort of avoidance, it is typically indicative they are potentially located in these regions and would rather avoid local victims to prevent issues with local law enforcement.

Figure 17: FakeChat instruction to terminate when language code matches specific settings

The End of FakeChat?

On March 5, 2021, some of the FakeChat local operators in Spain were arrested, hinting at the possible end of the app’s development and spreading efforts.

Figure 18: Notice quoting Catalonian police (obtained via Twitter)

However, our telemetry continues to monitor this malware more than a month past the arrest, and it is apparent that FakeChat’s operation took a hit but has kept on going.

In early April, Trusteer researchers did detect new versions of the FakeChat spreading outside of Spain and infecting users in Poland, Germany and Hungary, to name a few countries. We believe this malware will continue to evolve and spread further in the wild in the second quarter of 2021.

Mapping to MITRE Mobile Attack Techniques

ID Name Use
T1432 Access Contact List FakeChat can obtain the device’s contact list
T1418 Application Discovery FakeChat can obtain a list of installed applications
T1412 Capture SMS Messages FakeChat can collect SMS messages from a device
T1516 Input Injection FakeChat can inject input to grant itself extra permissions without user interaction and to prevent application removal
T1411 Input Prompt FakeChat can generate fake notifications and launch overlay attacks against attacker-specified applications
T1478 Install Insecure or Malicious Configuration FakeChat disables Google Play Protect to prevent its discovery and deletion in the future
T1444 Masquerade as Legitimate Application FakeChat can pretend to be a post-service application
T1406 Obfuscated Files or Information FakeChat uses standard payload and string obfuscation techniques
T1582 SMS Control FakeChat can send SMS messages from a device
T1437 Standard Application Layer Protocol FakeChat communicates with the C2 server using HTTP
T1508 Suppress Application Icon FakeChat hides its icon from the application drawer after being launched for the first time;

(only for Android OS version<10)

T1426 System Information Discovery FakeChat can collect device information, such as the default SMS app and device locale
T1576 Uninstall Malicious Application FakeChat can uninstall itself from a device on command
Scroll to view full table

Figure 19: FakeChat fraud-facilitating features

IOCs

List of Related Package Names

  • com.tencent.mm
  • com.tencent.mobileqq
  • com.example.myapplicationtest — developer versions
  • com.tencent.mn
  • com.eg.android.AlipayGphone
  • com.article.andreport
  • com.candy.sagagames
  • com.cany.withspice
  • com.chinamarkets.android
  • com.multiple.objectives
  • com.plasma.liquid
  • com.redtube.music
  • com.resouce.cloud
  • com.black.andwhite
  • com.flights.bookings
  • com.marriot.hotel
  • narrow.universe.attract
  • six.wonder.word
  • stadium.network.purpose
  • com.serverless.ec
  • com.clubbing.photos
  • thank.favorite.future
  • com.got.games
  • com.sugar.browns
  • com.purple.cream
  • com.invite.qq
  • com.pulse.operate
  • com.velocity.speed

SHA-256 Samples From This Research

  • 9d8b294cacbe9d5303585833b20860eb8da7095c5711c30293a3f56bbf6a9386

version 3.8

  • 139fca7c979e272ff720feffcaf686aeb1dd25a6347d34bbaa443031982d5f3e

version 3.7

  • 4d22c11a05db23129ec2e1b6929d1c8618a790c9feb210ba66c37a3e0cf93cdb

version 3.6

  • c9ab1bce68498551a78c4c28cbbc36e4a827d81a51090d6ed4a5b9ca1fdfb698

version 3.4

  • 30937927e8891f8c0fd2c7b6be5fbc5a05011c34a7375e91aad384b82b9e6a67

version 3.1

  • 54ac754d804ae252f97f27944866702586ffc72c9411dcd1ed55dcd89072c1f6

version 2.9

  • 318e4d4421ce1470da7a23ece3db5e6e4fe9532e07751fc20b1e35d7d7a88ec7

version 2.2

  • ff3a604c3ae0df4a1826a75464974a57924d557b5d730d824d55d10e65f89271

version 2.1

  • cf68a3c0435ba659a3800ca0a95e7b73b7aca8a897947a7ac2b9e9a5a3428417

version 1.7

  • 133e0d4ed98d998b999a0413c10ec408ebeca2c82121683dfb6ccb4d2bd42ece

version 1.3

Dev Versions

  • 7714a16a7092e8826134045d9c2dbe6e692dee660d637bd75881ed8e28149e44

version 3.0

  • c322a23ff73d843a725174ad064c53c6d053b6788c8f441bbd42033f8bb9290c

version 1.2

  • 7bd47e6d52c04adf79255a792008038198196b2dc844b0859c1c8863b0a3ba7c

version 1.0

  • 7578fcde78444537997eaee398ea6df119cb80da3b72337192373325538b40d2

version 0.9

  • c31c2c2d8749829380ec02afa133ec10a02bbf528e960c6ab944ec945135d7ed

version 0.7

  • df5735c6d78b33be53865ab324f3f7ea56622fb1766c590e812534a69cd2e99b

version 0.6

  • d3af7d46d491ae625f66451258def5548ee2232d116f77757434dd41f28bac69

version 0.5

  • 9d5295c0f36fac45ecda49b6e4baab4ed1dcddcc3655519d07c4c1f2663f9441

version 0.4

  • ed7093465f195ab34de246c83ff772aefbe173a335aab0b13b6b03780594fb24

version 0.3

  • 496df860522dea6be1268517a3f30d24b6e8e6195cc3c2b49e82ab6c7b31c24e

version 0.2

  • 5e0311fb1d8dda6b5da28fa3348f108ffa403f3a3cf5a28fc38b12f3cab680a0

version 0.1

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today