Starting late December 2020, IBM Trusteer’s mobile threat research lab discovered and began closely tracking a new Android banking malware that appeared to be mostly targeting users in Spain. Per our analysis, the purpose of the malware is to steal credit card numbers, bank account credentials and other private information from its victims. Once a user is infected, FakeChat operators can steal all the necessary data to successfully defraud the user. IBM Trusteer customers received an early release of this report.
The code underpinning this new malware, which we dubbed FakeChat, does not rely on previously released malware. It was written from scratch, and its authors appear to be part of a well-established cyber crime group that probably migrated from distributing other financial malware. Through the first quarter of 2021, as the malware began spreading more aggressively, we noticed that other research teams also found and named it. Most notably, it was blogged about as Cabassous and FluBot.
The group behind this new financial malware appears sophisticated. In addition to having the technical skills required to write malware for Android-based devices, they also have access to malware distribution channels in the targeted countries. In fact, this malware has been growing faster, in terms of infection numbers, than any other financial mobile malware that our lab analyzed in the past five years. In addition to having extremely successful malware distribution channels, FakeChat operators have also tried to create a robust server-side infrastructure by using a domain generation algorithm (DGA) to create new command and control (C2) domains.
Ready for action from the very first FakeChat campaign we identified, the group worked to keep the malware stealthy and ride the rising tides of online shopping that have been booming during the COVID-19 pandemic. The first campaign we discovered distributed the malware under the guise of an application named Correos, the state-owned company responsible for providing postal service in Spain. It then tried to impersonate other apps, such as DHL, FedEx and MRW in delivery-themed campaigns. Behind the branding, almost all infection package names use the Android package (APK) name that WeChat employs (com.tencent.mm or com.tencent.mobileqq), which is what made our team call this malware FakeChat.
During our research, we were able to obtain both development and production versions of the malware’s code, which enabled us to gain deeper insights into FakeChat’s operation and genealogy.
FakeChat’s Infection Tactic
Most FakeChat victims are infected by a SMiShing campaign in which a phishing short message service (SMS) text leads the victim to a hacked website or other infection zone, which presents a social engineering page. The page asks the victim to download an application they supposedly need in order to track/receive their package, concealing the FakeChat infection package. After the victim clicks the download button, the malware is downloaded to the device.
Figure 1: Instructions in Spanish on how to turn on Android’s ‘install from unknown’ feature, so that malware can be installed from any source
Infection Campaign Stats
IBM Trusteer researchers monitored FakeChat infection campaigns, all of which used postal services or delivery as their main lure. Starting with the successful Correros-themed campaign, the second campaign to occur was a smaller DHL-themed campaign. The third campaign, FedEx, was the largest we have observed to date. The fourth and most recent featured MRW as the lure.
Figure 2: FakeChat campaign peaks between Dec.17-20 and April 5-21 in Spain indicating infections per million end-users (Source: IBM Trusteer)
Figure 3: FakeChat campaign sizes in Spain Q1 2021 (Source: IBM Trusteer)
FakeChat vs. Other Financial Android Malware in Spain
Figure 4: Financial malware campaigns targeting Spain in Q1 2021 (Source: IBM Trusteer)
Accessibility Privilege Requested
After the malware installs, the victim sees one of the following accessibility request screens (depending on the campaign) requesting them to grant accessibility privileges to the malware app.
Figure 5: FakeChat requires the victim to approve accessibility privileges on the device
Automatically Grant Permissions With Accessibility Service
After the victim grants accessibility privileges to the malware, FakeChat grants itself all the other permissions it needs to conduct malicious activity without the victim’s knowledge and without the victim needing to accept further permission requests.
Figure 6: FakeChat permissions
If the malware is installed on a device with Android 10 or earlier, it hides its icon for stealth.
Another stealth method that was found in the malware is the ability to disable Play Protect and prevent uninstallation by the device’s owner.
FakeChat Set as Default SMS App
After it is granted accessibility privileges by the victim, FakeChat also sets itself as the default SMS app, which enables it to hijack incoming SMS messages and forward them to the attacker. In cases where an additional authentication or authorization code is required for the attackers to finalize fraudulent activity and where the code is sent via SMS, the malware can steal it from the infected device.
By grabbing the SMS code, FakeChat can compromise SMS-based two-factor authentication. In addition, FakeChat can mute all SMS notifications to keep the victims unaware of the fraudulent activity taking place in their account.
FakeChat’s Fraud Method
FakeChat is part of the overlay malware category. It aims to phish user credentials by presenting a fake overlay login screen on top of the legitimate app to trick the user into submitting their password on the wrong activity screen.
To know when a victim opens a targeted app, FakeChat keeps tabs on the user’s activities. Throughout its ongoing operations, FakeChat checks for installed applications and dynamically fetches a matching HTML overlay from its C2 server. It constantly monitors for the launch of targeted banking applications on the infected device.
FakeChat fetches the overlay screen in real time. To get the right overlay screen from the C2, the malware first sends a list of all applications installed on the victim’s device. The C2 replies with a list of applications for which it has a match. The malware retrieves the matching HTML overlay for each ‘injectable’ application from the C2 and presents it to the user once the targeted application is launched.
The overlay screen, hiding the original login page from the legitimate app, typically requests the victim’s online banking credentials, credit card details or login details for other targeted accounts. The malware overlay closely resembles the legitimate application’s look and feel, making it less likely a user would suspect it. Once the malware app receives the user’s credentials, it sends the details to the C2 server.
Figure 7: FakeChat phishing asking for payment card details
Figure 8: FakeChat phishing asking for mobile banking credentials
FakeChat’s C2 Commands
Once it is up and running on infected devices, FakeChat can handle various commands from the attacker’s server. These commands allow the malware to run its operations, interact with the device, run additional files and install apps, grab SMS content and exfiltrate data.
A more complete list of commands appears below:
- 0 – GET_CONTACTS — Upload all contacts to the C2.
- 1 – SMS_INT_TOGGLE — If the SMS_INT_TOGGLE flag is turned on it sends every SMS to the C2.
- 2 – NOTIF_INT_TOGGLE — If the NOTIF_INT_TOGGLE flag is turned on it sends every notification to the C2.
- 3 – OPEN_URL — Open an arbitrary URL with WebView.
- 4 – DISABLE_PLAY_PROTECT — Disable Play Protect to prevent malware scanning on the device.
- 5 – CARD_BLOCK — Start the overlay card activity. (Figure 7.)
- 6 – SEND_SMS — Send an arbitrary SMS from the victim’s device.
- 7 – RELOAD_INJECTS — If the C2 got new overlays to a new bank it can update all the overlays in the malware.
- 8 – RETRY_INJECT — Clear flag value saved in shared preferences. Can be used to request to show card activity overlay again.
- 9 – RUN_USSD—- Execute a USSD command by performing a call.
- 10 – UNINSTALL_APP — Uninstall an arbitrary application.
- 11 – BLOCK — Hide all notifications shown to the user.
- 12 – SOCKS — Transform the infected device to a SOCKS proxy server.
- 13 – UPLOAD_SMS — Upload all SMS from the device to the C2.
Command Evolution per FakeChat Bot Version
IBM Trusteer researchers studied the progression and capabilities of FakeChat for each bot version and compared it to the previous ones. The following table presents the features added to FakeChat over time.
Table 1: FakeChat bot command evolution
FakeChat’s Notable Malware Features
Bot Configuration and Versioning
After unpacking and string de-obfuscation, FakeChat’s malware configuration is saved alongside other data in a ProgConfig class. We can see the bot version, partial server path, shared preference keys, RSA key, FakeChat commands and some permissions all in the same place.
Figure 9: Bot configuration
Use of DGA to Communicate with C2
The malware uses a DGA to generate new domain names for the C2 server. The domains are not fully random and are determined by a seed that is generated based on current year and month parameters. The code for the current DGA yields 5,000 new domains (versus 2,000 in older versions) every month.
In earlier releases of FakeChat’s code version 3.4, the malware serially tried to communicate with those pre-generated C2 domains. Our assumption is that due to security researchers discovering the method, the malware authors have decided to harden their infrastructure against sinkholing by attempting to communicate with the C2 domains in a random order (and also generate 5,000 domains instead of 2,000).
Figure 10: FakeChat’s DGA in version 3.8
Figure 11: FakeChat’s DGA — Seed generation code
FakeChat’s Impending Key Logger Capabilities
In more recent versions of FakeChat, the authors started to develop a new capability to steal user credentials from other apps on the device. This capability is still not fully fleshed out. For now, the malware abuses the accessibility privileges to grab text from different applications.
We believe that developing keylogging capabilities is evidence that the authors intend to keep evolving the malware’s data exfiltration ability and that they may be searching for new ways to steal bank credentials from the victim, even without having overlays for all banks and services that users may enjoy on their smartphones.
Figure 12: Get front app text in MyAccessibility class
OpSec: String Obfuscation and Packer Rotation
Malware authors often attempt to hinder the efforts of outsiders to reverse-engineer their code. FakeChat does not feature much in that area. It does use publicly available string obfuscation, the Paranoid Gradle plugin (see Paranoid), to obfuscate strings in the APK. It also uses different packers for different bot versions.
Bot Error Monitoring and Exception Handling
Malware authors can monitor every crash that the malware has in order to improve the bot. Every exception is sent automatically to the C2 server.
Figure 13: MyExceptionHandler class
Starting in Android 6, the operating system preserves battery life by limiting apps that can work in the background. FakeChat abuses accessibility privileges to grant itself with REQUEST_IGNORE_BATTERY_OPTIMIZATIONS to keep the device alive even when the victim is not actively using it.
Figure 14: FakeChat bypass of automatic battery optimization
Blocking the Uninstall
Any active window that includes the text FluBot and is not Play Protect is minimized by the malware to prevent the user from uninstalling the malware.
Figure 15: FakeChat hides uninstall option from the user
A community tool that can remove the FakeChat app from infected devices is the application malninstall. To that effect, FakeChat’s authors left the following message in Russian for those who wrote the removal tool.
Figure 16: Translates to “Keep another $25, boy :))”
Do Not Operate on Post-Soviet Block Phones
FakeChat is programmed to halt any malicious activity on devices that use the following languages: Belarusian, Armenian, Kazakh, Kirghiz, Romanian, Moldavian, Russian, Tajik, Ukraine and Uzbekistani. When malware authors specify this sort of avoidance, it is typically indicative they are potentially located in these regions and would rather avoid local victims to prevent issues with local law enforcement.
Figure 17: FakeChat instruction to terminate when language code matches specific settings
The End of FakeChat?
On March 5, 2021, some of the FakeChat local operators in Spain were arrested, hinting at the possible end of the app’s development and spreading efforts.
Figure 18: Notice quoting Catalonian police (obtained via Twitter)
However, our telemetry continues to monitor this malware more than a month past the arrest, and it is apparent that FakeChat’s operation took a hit but has kept on going.
In early April, Trusteer researchers did detect new versions of the FakeChat spreading outside of Spain and infecting users in Poland, Germany and Hungary, to name a few countries. We believe this malware will continue to evolve and spread further in the wild in the second quarter of 2021.
Mapping to MITRE Mobile Attack Techniques
Figure 19: FakeChat fraud-facilitating features
List of Related Package Names
- com.example.myapplicationtest — developer versions
SHA-256 Samples From This Research