{
	"id": "0bd826e2-92be-494c-b711-27de84d1b4d1",
	"created_at": "2026-04-06T00:07:48.975439Z",
	"updated_at": "2026-04-10T03:21:31.793987Z",
	"deleted_at": null,
	"sha1_hash": "48ccd73d316fc1a741d6ebce01af9bf0875aacb3",
	"title": "FunkyBot: A New Android Malware Family Targeting Japan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 770156,
	"plain_text": "FunkyBot: A New Android Malware Family Targeting Japan\r\nBy Dario Durando\r\nPublished: 2019-09-04 · Archived: 2026-04-05 16:00:37 UTC\r\nLast year, FortiGuard Labs identified a malware campaign targeting Japanese users. The campaign impersonated a\r\nlogistics company and deployed an Android malware called FakeSpy.\r\nWe have been monitoring these actors and the phishing websites they created, and recently we noticed that they\r\nhave started deploying a different Android payload.\r\nAs in their previous campaigns, this payload consists of a packer and a payload. However, both of these are\r\ndifferent from the ones we have encountered previously.\r\nIn the following blog, we will provide a deep analysis of both the packing mechanisms as well as the deployed\r\npayload, which to the best of our knowledge is a new malware family. It may have been developed by the same\r\npeople behind the campaign as a substitute for the too-well known FakeSpy malware family they have been using\r\nup to now. Based on logging strings found in the persistence mechanism of the payload, as seen in figure 7, we\r\nhave decided to call this new malware family FunkyBot.\r\nWe will be analysing the following sample:\r\n152be211ecd21c8abfd7c687a5ca8a17906f589c59055516e5482ff3fcf42dbf\r\nPacker\r\nThe Packer is made of two separate parts:\r\nJava code contained in the classes.dex file\r\nNative code contained in the libcsn.so file\r\nJava Functions\r\nThe code of the packer in the sample we analysed was obfuscated. Luckily, after some searching we were able to\r\nfind an un-obfuscated version of the code, and we will be using that.\r\nThe reference sample for the packer is the following:\r\nb4f3b7850c4332bcf85bbd64ebd6d837a3de64a03c1150cdd27e41599d2852b6\r\nThe first interesting function that is executed is _attachBaseContext(Context base). This function accesses the\r\nconfiguration file contained in the asset folder of the APK. In this case, it is a JSON file called ‘_dcfg_.data’, and\r\nit loads the following parameters:\r\n“size”: identifies the number of ‘.dex’ payloads that the packer has to generate\r\nhttps://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html\r\nPage 1 of 9\n\n“payloadType”: identifies where the encrypted data of the payload is located\r\n“isTestIn”: flag used for testing purposes\r\n“type”: identifies the kind of encryption used\r\nIn the samples we analysed, we found the following two configurations:\r\n{\"size\":2,\"payloadType\":0,\"isTestIn\":\"0\",\"type\":3}\r\n{\"size\":2,\"payloadType\":1,\"isTestIn\":\"0\",\"type\":3}\r\nThe packer determines which version of Android it is running on in order to generate the proper payload. It also\r\ngoes the extra mile and generates some fake dex files to possibly confuse malware analysts.\r\nFigure 1: Creation of fake Dex files\r\nIt then checks the ‘payloadType’ value, and if the value is equal to 1, it will copy the asset data to another folder.\r\nOtherwise, it will proceed without moving anything, as it uses the classes.dex file loaded in memory instead.\r\nFigure 2: Extraction of Dex encrypted file\r\nJNI Functions\r\nThe Class JNITools declares a set of native functions that are contained in libcsn.so.\r\nhttps://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html\r\nPage 2 of 9\n\nFigure 3: JNITools native functions declaration\r\nThe native JNI_OnLoad function, which is run when the library is loaded, registers the native functions declared\r\nin JNITools, allowing them to be called differently than the usual scheme of\r\nJava_\u003cclassName\u003e_\u003cFunctionName\u003e, probably to make the reversing process harder.\r\nIf the value of the configuration variable ‘type’ is different from 0 (which means the payload needs to be\r\ndecrypted), the code accesses the folder /data/data/\u003cappname\u003e/app_csn0/ and creates a folder ‘.unzip’ in it. Note\r\nthat the name of the folder contains a dot as the first character, making it invisible to a normal ls command.\r\nThe decryption routines are run on a file generated from the encrypted payload data. This data is obtained from\r\none of two sources, based on the value of ‘payloadType’:\r\n0: the ‘classes.dex’ file, containing all the executed code\r\n1: an asset file, in this case assets/csn-enc.data\r\nIn the first case, the packer accesses the /proc/\u003cpid\u003e/maps file to locate the memory where the classes.dex file is\r\nloaded, and then looks for a specific set of characters in memory that identify the beginning of the encrypted data.\r\nIn this case, the magic word is `csn_`. When found, it starts copying from that point onwards.\r\nhttps://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html\r\nPage 3 of 9\n\nFigure 4: Searching for Magic 'csn_'\r\nThe different values of the configuration variable ‘type’ correspond to different decryption routines. The code\r\nsupports the following values:\r\n0: No encryption\r\n2/3 : variations of XOR based decryption with the value `0x51` (81)\r\nhttps://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html\r\nPage 4 of 9\n\nFigure 5: Decrypt Switch\r\nIn the samples presented here, the configuration always had a value of 3, which corresponds to the following\r\ndecryption function:\r\nFigure 6: Decryption 'type' 3\r\nThese routines then generate a ‘classes.dex’ payload file that is loaded by the ClassLoader.\r\nPayload: FunkyBot\r\nIn the sample analysed, the payload consisted of two .dex files. One being a copy of the original legitimate\r\napplication that the malware is impersonating, and the other being the malicious code.\r\nThe payload is started by calling the method `runCode` class `com.wfk.injectplugin.EntryPoint` through Java\r\nreflection. This method starts `KeepAliceMain.start()`.\r\nhttps://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html\r\nPage 5 of 9\n\nFigure 7: EntryPoint\r\nKeepAliceMain\r\nThis Class is used as persistence mechanism by the malware. It uses an open source library that can be found on\r\nGithub to keep the service alive on the device. It also allows the malware to mute sounds from the device, even\r\nthough in this specific instance this functionality is not used.\r\nThis class periodically re-launches the main service used by the malware to create a gRPC connection to a remote\r\nserver.\r\nGRPC Client\r\nCommand and Communication Address\r\nThe server address is not hardcoded in the `classes.dex` file, but it is retrieved during execution. The code\r\nexecutes the function `GprcsUtils.Regist_Server(String str)`, which calls `UrlTool.loadIPAddrFromIns()` to\r\nextract the C2 URL.\r\nFigure 8: Loaded IP from Instagram\r\nhttps://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html\r\nPage 6 of 9\n\nMuch like Anubis used to do with fake Telegram and Twitter accounts, this malware uses social media to obtain its\r\nC2: it downloads the webpage of a photo-less Instagram account. It then extracts the biography field of this\r\naccount and decodes it using Base64.\r\nFigure 9: Fake Instagram account\r\nFinally, the resulting string is decrypted using DES and a key is generated using the value\r\n`d2a57dc1d883fd21fb9951699df71cc7` as its seed (which happens to be the MD5 hash corresponding to the word\r\n‘app’), which can be seen in figure 8 under the String variable str3.\r\nThe resulting URL is 149.28.24.166:11257 and the fake accounts have been reported to Instagram.\r\nSMS Service\r\nAfter the connection to the server is started, the malware proceeds to collect and send the following information\r\nabout the device:\r\nIMEI\r\nIMSI\r\nPhone number\r\nList of contacts\r\nThe amount of exfiltrated information is relatively limited, especially when compared to bigger families like\r\nAnubis, Cerberus, or Hydra. However, like previous campaigns, it also features aggressive spreading techniques.\r\nAfter having sent all of the device’s contacts to the C2, it waits for it to respond with a telephone number and a\r\nmessage body to construct an SMS. This strategy has been used by multiple campaigns, including FakeSpy and\r\nMoqHao, to enable the malware to spread in a worm-like fashion. It is logical to assume that this sample would do\r\nthe same.\r\nIt is interesting to note that the malware identifies the provider of the SIM card and looks specifically for a\r\nspecific Japanese telecommunication provider. To do so, it checks the IMSI (International Mobile Subscriber\r\nhttps://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html\r\nPage 7 of 9\n\nIdentity) value of the device. This value is composed of two halves: the first identifies the provider, and the second\r\nis unique to the specific device.\r\nThe malware checks to see if the first half corresponds one of its listed values, which are all connected to the\r\naforementioned provider.\r\nFigure 10: Checking if the device is served by a specific provider\r\nAt the beginning, we thought the function was going to possibly be used for some targeted action towards the\r\ncustomers of this provider. Instead, if the function `is\u003cProvider\u003e()` returns true, then the malware simply\r\nproceeds to increase the value controlling the maximum number of SMS messages it allows itself to send.\r\nAfter some research, we concluded that this behaviour might just be because the provider enables customers to\r\nsend free SMS messages to each other, increasing the amount of traffic a single infected device is capable of\r\ngenerating before arousing suspicion.\r\nFinally, the malware is able to set itself as the default SMS handler application, and uses this to upload to the C2\r\nall the received messages. This functionality can be very dangerous, considering that most banks currently use\r\ntwo-factor authentication through SMS.\r\nConclusion\r\nBy monitoring the campaign primarily targeting Japanese service providers, FortiGuard Labs was able to identify\r\nthis campaign and what, to the best of our knowledge, is a new malware family.\r\nDuring our analysis, we also encountered other samples that were not completely developed and lacked some of\r\nthe functionalities discussed in this blogpost, suggesting that the malware is currently under development and is\r\nbeing tested in the wild.\r\nThe capabilities of this family are limited at the moment, but the fact that we were able to find different samples\r\nthat showed significant improvement in the span of a few weeks shows that this family should not be\r\nunderestimated.\r\nFortiGuard Labs will continue to monitor this campaign as it evolves.\r\n-=FortiGuard Lion Team=-\r\nhttps://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html\r\nPage 8 of 9\n\nSolutions\r\nFortinet customers are protected against this malware by the following Signatures:\r\nPacker: Android/Agent.DDQ!tr\r\nPayload: Android/Funky.A!tr and Android/Funky.B!tr\r\nAcknowledgements\r\nI would like to thank Evgeny Ananin for his help in the research needed for this blogpost.\r\nIOC List:\r\nPackers:\r\nb4f3b7850c4332bcf85bbd64ebd6d837a3de64a03c1150cdd27e41599d2852b6\r\n152be211ecd21c8abfd7c687a5ca8a17906f589c59055516e5482ff3fcf42dbf\r\nPayloads:\r\n02036825d69208612fd281b3d4fd9be06fc315addeac1fe8872eb2cc9f6f1fcd\r\nbeb6cb245f6597b6d2b9e9232774329b94f2eada5980a3cb28f9100cc161f4a4\r\nCCs:\r\n149[.]28[.]24[.]166[:]11257\r\n108[.]61[.]187[.]156[:]11257\r\nSource: https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html\r\nhttps://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html\r\nPage 9 of 9\n\nsupports the following 0: No encryption values:   \n2/3 : variations of XOR based decryption with the value `0x51` (81)\n   Page 4 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html"
	],
	"report_names": [
		"funkybot-malware-targets-japan.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434068,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/48ccd73d316fc1a741d6ebce01af9bf0875aacb3.pdf",
		"text": "https://archive.orkl.eu/48ccd73d316fc1a741d6ebce01af9bf0875aacb3.txt",
		"img": "https://archive.orkl.eu/48ccd73d316fc1a741d6ebce01af9bf0875aacb3.jpg"
	}
}