{
	"id": "702a9435-f8ba-4dd8-a7e1-867638aa9652",
	"created_at": "2026-04-06T00:22:17.735318Z",
	"updated_at": "2026-04-10T13:11:30.157635Z",
	"deleted_at": null,
	"sha1_hash": "246eda2c976f0386674e56d590d41ff9f769a1e2",
	"title": "FakeSpy Targets Japanese and Korean-Speaking Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63968,
	"plain_text": "FakeSpy Targets Japanese and Korean-Speaking Users\r\nBy By: Ecular Xu Jun 19, 2018 Read time: 4 min (1046 words)\r\nPublished: 2018-06-19 · Archived: 2026-04-05 13:14:52 UTC\r\nSpoofing legitimate mobile applications is a common cybercriminal modus that banks on their popularity and\r\nrelies on their users’ trust to steal information or deliver payloads. Cybercriminals typically use third-party app\r\nmarketplaces to distribute their malicious apps, but in operations such as the ones that distributed CPUMINER,\r\nBankBot, and MilkyDoor, they would try to get their apps published on Google Play or App Store. We’ve also\r\nseen others take a more subtle approach that involves SmiShing to direct potential victims to malicious pages.\r\nCase in point: a campaign we recently observed that uses SMS as an entry point to deliver an information stealer\r\nwe called FakeSpy (Trend Micro detects this threat ANDROIDOS_FAKESPY.HRX).\r\nFakeSpy is capable of stealing text messages, as well as account information, contacts, and call records stored in\r\nthe infected device. FakeSpy can also serve as a vector for a banking trojan (ANDROIDOS_LOADGFISH.HRX).\r\nWhile the malware is currently limited to infecting Japanese and Korean-speaking users, we won't be surprised if\r\nit expands its reach given the way FakeSpy’s authors actively fine-tune the malware’s configurations.\r\nAttack Chain\r\nWould-be victims will first receive a mobile text message masquerading as a legitimate message from a Japanese\r\nlogistics and transportation company urging recipients to click the link in the SMS, as shown in Figure 1. The link\r\nwill redirect them to the malicious webpage, and clicking any button will prompt users to download an Android\r\napplication package (APK). The webpage also has a guide, written in Japanese, on how to download and install\r\nthe app.\r\nFigure 1: Sample SMSs containing links to the malware\r\nFurther analysis indicates that this campaign also targets South Korean users, and has been active since October\r\n2017. To Korean users, the information-stealing malware appears as an app for several local consumer financial\r\nservices companies. When targeting Japanese users, it poses as apps for transportation, logistics, courier, and e-commerce companies, a mobile telecommunications service, and a clothing retailer.\r\nFigure 2: The malicious webpage with instructions on downloading and installing the application\r\nFigure 3: Screenshots of the malicious apps in Korean (left) and Japanese (center, right)\r\nTechnical Analysis\r\nFakeSpy’s configurations, such as the command-and-control (C\u0026C) server, are encrypted to evade detection.\r\nOnce launched, FakeSpy will start monitoring for text messages that the affected device receives. These SMS\r\nmessages are stolen and uploaded to the C\u0026C server. To send commands via JavaScript, FakeSpy also abuses\r\nJavaScript bridge (JavaScriptInterface) to invoke the app’s internal functions by downloading then running\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/\r\nPage 1 of 3\n\nJavaScript from a remote website. FakeSpy’s commands include adding contacts to the device, setting it to mute,\r\nresetting the device, stealing stored SMS messages and device information, and updating its own configurations.\r\nFigure 4: FakeSpy’s encrypted configurations\r\nFigure 5: How FakeSpy uploads stolen text messages to the C\u0026C server\r\nFigure 6: FakeSpy using JavaScriptInterface to send commands\r\nFigure 7: Traffic from which attackers send the command to update FakeSpy’s configurations\r\nFakeSpy as a vector for a banking trojan\r\nApart from information theft, FakeSpy can also check for banking-related applications installed in the device. If\r\nthey match FakeSpy’s apps of interest, they are replaced with counterfeit/repackaged versions that imitate the user\r\ninterfaces (UI) of their legitimate counterparts. It phishes for the users’ accounts by ironically notifying users that\r\nthey need to key in their credentials due to upgrades made on the app to address information leaks. It also warns\r\nusers that their account will be locked. The stolen information is sent to the C\u0026C server once the users click on\r\nthe login button. Besides online banking apps, it also checks for apps used for digital currencies trading and e-commerce.\r\nFigure 8: Code snapshot showing FakeSpy checking for legitimate banking-related apps and replacing them\r\nwith fake versions\r\nFigure 9: UI of the malicious app that phishes the user’s banking credentials\r\nFigure 10: Code snippets showing how the malicious app steals banking credentials\r\nEvading Detection\r\nFakeSpy’s author uses different approaches to hide and update the C\u0026C servers. It abuses social media by writing\r\nthe IP address on a Twitter profile whose handles are regularly modified. The IP address starts with ^^ and ends\r\nwith $$. When FakeSpy launches, it will access the Twitter page and parse its contents to retrieve the C\u0026C IP\r\naddress. FakeSpy’s author also abuses forums and open-source dynamic domain tools in a similar manner. To\r\nfurther evade detection, the C\u0026C server address configured into the apps are updated at least once per day. It’s\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/\r\nPage 2 of 3\n\nalso worth noting that the cybercriminals behind FakeSpy are active, at least based on their activities on forums\r\nand the related URLs they register to host their malware.\r\nFigure 11. The Twitter pages that FakeSpy accesses to get the C\u0026C IP address\r\nFigure 12: FakeSpy using a forum (top) and dynamic domain tool (bottom) to hide the C\u0026C server\r\nBest Practices\r\nSMiShing is not a novel attack vector, but with social engineering, it can lure or compel victims into handing out\r\npersonal or corporate data, or direct them to malware-hosting websites. Users should practice good security\r\nhygiene: think before clicking, download only from official app stores, and regularly update credentials and the\r\ndevice’s OSs and apps. Check for telltale signs of phishing, such as grammar errors or certain characters used to\r\nspoof a legitimate URL, and more importantly, beware of unsolicited messages that seem to give a sense of\r\nunwanted urgency.\r\nWe’ve coordinated with the affected organizations about this threat. A list of indicators of compromise (IoCs)\r\nrelated to FakeSpy is in this appendix.\r\nTrend Micro Solutions\r\nTrend Micro™ Mobile Security for Android™ (also available on Google Play) blocks malicious apps that may\r\nexploit this vulnerability. End users and enterprises can also benefit from its multilayered security capabilities that\r\nsecure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.\r\nFor organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application\r\nmanagement, data protection, and configuration provisioning, as well as protects devices from attacks that\r\nleverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and\r\nfraudulent websites.\r\nTrend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox\r\nand machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy\r\nleaks, and application vulnerability.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korea\r\nn-speaking-users/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/"
	],
	"report_names": [
		"fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434937,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/246eda2c976f0386674e56d590d41ff9f769a1e2.pdf",
		"text": "https://archive.orkl.eu/246eda2c976f0386674e56d590d41ff9f769a1e2.txt",
		"img": "https://archive.orkl.eu/246eda2c976f0386674e56d590d41ff9f769a1e2.jpg"
	}
}