{ "id": "24fcf5d2-e745-46d0-8cf1-50c964727745", "created_at": "2026-04-06T03:36:10.792958Z", "updated_at": "2026-04-10T03:34:59.323088Z", "deleted_at": null, "sha1_hash": "90f5004f2e396cc0ef9cf949d0d2345da69ab6dd", "title": "FakeSpy Masquerades as Postal Service Apps Around the World", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4137764, "plain_text": "FakeSpy Masquerades as Postal Service Apps Around the World\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-06 03:11:36 UTC\r\nKey Findings\r\nThe Cybereason Nocturnus team is investigating a new campaign involving FakeSpy, an Android mobile\r\nmalware that emerged around October 2017. FakeSpy is an information stealer used to steal SMS\r\nmessages, send SMS messages, steal financial data, read account information and contact lists, steal\r\napplication data, and do much more.\r\nFakeSpy first targeted South Korean and Japanese speakers. However, it has begun to target users all\r\naround the world, especially users in countries like China, Taiwan, France, Switzerland, Germany, United\r\nKingdom, United States, and others.\r\nFakeSpy masquerades as legitimate postal service apps and transportation services in order to gain the\r\nusers' trust. Once installed, the application requests permissions so that it may control SMS messages and\r\nsteal sensitive data on the device, as well as proliferate to other devices in the target device’s contact list.\r\nCybereason's investigation shows that the threat actor behind the FakeSpy campaign is a Chinese-speaking\r\ngroup dubbed \"Roaming Mantis\", a group that has led similar campaigns.\r\nFakeSpy has been in the wild since 2017; this latest campaign indicates that it has become more powerful.\r\nCode improvements, new capabilities, anti-emulation techniques, and new, global targets all suggest that\r\nthis malware is well-maintained by its authors and continues to evolve.\r\ntable of contents\r\nKey Findings\r\nIntroduction\r\nThreat Analysis\r\nFakespy Code Analysis\r\nDynamic Library Loading\r\nStealing Sensitive Information\r\nAnti-Emulator Techniques\r\nUnder Active Development\r\nWho is Behind Fakespy's Smishing Campaigns?\r\nConclusions\r\nCybereason Mobile Detects and Stops FakeSpy\r\nIndicators of Compromise\r\nIntroduction\r\nFor the past several weeks, Cybereason has been investigating a new version of Android malware dubbed\r\nFakeSpy, which was first identified in October 2017 and reported again in October 2018. A new campaign is up\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 1 of 24\n\nand running using newly improved, significantly more powerful malware as compared to previous versions.\r\nFakeSpy is under active development and is evolving rapidly; new versions are released every week with\r\nadditional evasion techniques and capabilities. \r\nOur analysis shows that the threat actor behind the FakeSpy malware is a Chinese-speaking group, commonly\r\nreferred to as \"Roaming Mantis\", a group that is known to have launched similar campaigns in the past. FakeSpy\r\nis an information stealer that exfiltrates and sends SMS messages, steals financial and application data, reads\r\naccount information and contact lists, and more.\r\nThe malware uses smishing, or SMS phishing, to infiltrate target devices, which is a technique that relies on social\r\nengineering. The attackers send fake text messages to lure the victims to click on a malicious link. The link directs\r\nthem to a malicious web page, which prompts them to download an Android application package (APK).\r\nThis most recent FakeSpy campaign appears to target users of postal services around the world. New versions of\r\nFakeSpy masquerade as government post office apps and transportation services apps. Our analysis indicates that\r\nthe threat actors are no longer limiting their campaigns to East Asian countries, but are targeting additional\r\ncountries around the world.\r\nThreat Analysis\r\nInfection Vector: Smishing Your Device\r\nThus far, FakeSpy campaigns are characterized by SMS phishing (a.k.a. smishing). These SMS messages\r\nmasquerade as a message from the local post office and link to the FakeSpy download. In a previous campaign\r\nreported by JPCERT, mobile users were alerted by phishy messages containing “delivery updates” purportedly\r\nfrom Sagawa Express.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 2 of 24\n\nFake SMS message luring users to enter a fake website, which contains the malicious APK (JPCERT report).\r\nClicking the SMS link brings the user to a fake website that prompts them to download and install the FakeSpy\r\nAPK, which is masquerading as a local postal service app. \r\nTargeting Postal and Transportation Services Companies\r\nOne of the most significant findings is that new versions of FakeSpy target not only Korean and Japanese\r\nspeakers, but also almost any postal service company around the world.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 3 of 24\n\nExample of more recent FakeSpy campaigns targeting France.\r\nNew FakeSpy campaign applications leveraging fake postal services apps.\r\nAll recent FakeSpy versions contain the same code with minor changes. The FakeSpy malware has been found to\r\nmasquerade as any of the following companies:\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 4 of 24\n\nUnited States Postal Service - An independent agency of the executive branch of the United States federal\r\ngovernment. USPS is the most well-known branch of the US government and provides a publicly funded\r\npostal service.\r\nRoyal Mail - British postal service and courier company. For most of its history it operated as a\r\ngovernment department or public corporation.\r\nDeutsche Post - Deutsche Post DHL Group, a German multinational package delivery and supply chain\r\nmanagement company headquartered in Bonn.\r\nLa Poste - La Poste is a public limited postal service company in France.\r\nJapan Post - A private Japanese post, logistics and courier headquartered in Tokyo.\r\nYamato Transport - One of Japan's largest door-to-door delivery service companies, also in Tokyo.\r\nChunghwa Post - The government-owned corporation Chunghwa is the official postal service of Taiwan.\r\nSwiss Post - The national postal service of Switzerland, a fully state-owned limited company (AG)\r\nregulated by public law.\r\nThe fake applications are built using WebView, a popular extension of Android’s View class that lets the developer\r\nshow a webpage. FakeSpy uses this view to redirect users to the original post office carrier webpage on launch of\r\nthe application, continuing the deception.  This allows the application to appear legitimate, especially given these\r\napplications icons and user interface.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 5 of 24\n\nNew FakeSpy applications masquerading as post office apps.\r\nFakeSpy Code Analysis\r\nOnce the user clicks on the malicious link from the SMS message, the app asks them to approve installation from\r\nunknown resources. This configuration can be toggled on by going to ‘Settings’ -\u003e ‘Security’ -\u003e ‘Unknown\r\nResources’. PackageInstaller shows the app’s permission access and asks for the user's approval, which then\r\ninstalls the application.\r\nThis analysis dissects FakeSpy’s Chunghwa Post app version, which emerged in April 2020.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 6 of 24\n\nDuring the installation, the malware asks for the following permissions:\r\nREAD_PHONE_STATE - Allows read-only access to the phone state, including the current\r\ncellular network information, the status of any ongoing calls, and a list of any PhoneAccounts\r\nregistered on the device.\r\nREAD_SMS - Allows the application to read text messages.\r\nRECEIVE_SMS - Allows the application to receive SMS messages.\r\nWRITE_SMS - Allows the application to write to SMS messages stored on the device or SIM card,\r\nincluding y deleting messages.\r\nSEND_SMS - Allows the application to send SMS messages.\r\nINTERNET - Allows the application to open network sockets.\r\nWRITE_EXTERNAL_STORAGE - Allows the application to write to external storage.\r\nREAD_EXTERNAL_STORAGE - Allows the application to read from external storage.\r\nRECEIVE_BOOT_COMPLETED - Allows the application to receive a broadcast after the system\r\nfinishes booting.\r\nGET_TASKS - Allows the application to get information about current or recently run tasks.\r\n(deprecated in API level 21)\r\nSYSTEM_ALERT_WINDOW - Allows the application to create windows shown on top of all\r\nother apps.\r\nWAKE_LOCK - Allows the application to use PowerManager WakeLocks to keep the processor\r\nfrom sleeping or the screen from dimming.\r\nACCESS_NETWORK_STATE - Allows the application to access information about networks.\r\nREQUEST_IGNORE_BATTERY_OPTIMIZATIONS - Whitelists the application to allow it to\r\nignore battery optimizations.\r\nREAD_CONTACTS - Allows the application to read the user's contacts data.\r\nFakeSpy package permissions.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 7 of 24\n\nOn opening the app, two pop-up messages appear on screen:\r\nChange SMS App: This sets permissions to intercept every SMS received on the device and send a copy\r\nof these messages to the C2 server.\r\nIgnore Battery Optimization: This sets permissions to continue to operate at full capacity while the\r\nphone's screen is turned off and the phone locked.\r\nThese requests rely on the end user accepting the permission changes and points to the importance of healthy\r\nskepticism when giving applications permissions. \r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 8 of 24\n\nFakeSpy Chunghwa Post version installation process and application UI.\r\nDynamic Library Loading\r\nOnce the application has finished the installation process, the malware starts its real malicious activity. The\r\nmalicious application da.hao.pao.bin (Chunghwa Post) loads a library file libmsy.so used to execute the packed\r\nmycode.jar file. The JAR file is the decrypted version of the file tong.luo, which is located in the assets folder.\r\nDecompiled APK resources.\r\nBy comparing the sizes of the encrypted asset file tong.luo vs the decrypted JAR file mycode.jar, it is interesting\r\nto note that it is the same file (almost the same size).\r\nComparing encrypted vs decrypted asset file.\r\nAfter libmsy.so decrypts the asset file tong.luo, it loads mycode.jar dynamically into FakeSpy’s process, as is\r\nshown from the output of the “adb logcat” command.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 9 of 24\n\nLogcat logs show FakeSpy uses libmsy.so to execute the malicious packed mycode.jar file.\r\nBy analyzing running processes on the infected device, it shows that the malware creates a child process of itself\r\nto perform the multi-process ptrace anti-debugging technique.\r\nFakeSpy uses an anti-debugging technique by creating another child process of itself.\r\nBy performing a deep analysis of the malware, we were able to extract the unpacked JAR file mycode.jar and\r\nreveal some very interesting code.\r\nStealing Sensitive Information\r\nFakeSpy has multiple built in information stealing capabilities. The first function is used for contact information\r\nstealing: the function upCon steals all contacts in the contact list and their information. Then, it sends it to the C2\r\nserver using the URL that ends with /servlet/ContactUpload. The stolen data fields are:\r\nMobile - The infected device phone number and contact’s phone number\r\nContacts - A headline used for the attacker to distinguish between the type of stolen information he gets\r\nName - Contact’s full name (Display name)\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 10 of 24\n\nupCon (upload contact) function used for stealing contact list information.\r\nFor testing purposes we inserted a fake contacts list to our Android Emulator and observed resultant behavior.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 11 of 24\n\nExfiltrated contact list data sent to the C2 server.\r\nThe second stealing function is the onStartCommand, which steals infected device data and additional\r\ninformation. The stolen data is sent to the C2 server using the URL ending with /servlet/xx. The stolen data fields\r\nare:\r\nMobile - The infected device phone number\r\nMachine - The device model (in our example: Google Pixel 2)\r\nSversion - The OS version\r\nBank - Checks if there are any banking-related or cryptocurrency trading apps\r\nProvider - The telecommunication provider (IMSI value in device settings)\r\nnpki - Checks if the folder named NPKI (National Public Key Infrastructure) might contain authentication\r\ncertificates related to financial transactions\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 12 of 24\n\nonStartCommand function for stealing device information and additional sensitive data.\r\nExfiltrated device information and additional sensitive data sent to the C2 server.\r\nFakeSpy asks to be the default SMS app because it uses the function onReceive to intercept incoming SMS\r\nmessages. It saves the messages’ metadata and content, filters the information by fields, and sends them to the C2\r\nserver using the URL /servlet/SendMassage2. The fields it collects are:\r\nMobile - The phone number which sent the SMS\r\nContent - The message body\r\nSender - The contact name who sent the message\r\nTime - The time the message was received\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 13 of 24\n\nonReceive function used to intercept incoming SMS messages.\r\nThe malware uses the function sendAll to send messages that spread the malware to other devices. It sends a\r\nsmishing message to the entire contact list of the infected device along with the malicious link to the FakeSpy\r\ninstallation page.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 14 of 24\n\nsendAll function used to spread malicious messages to the contact list.\r\nAnother interesting feature in FakeSpy’s code is the collection of the device's IMEI (International Mobile Station\r\nEquipment Identity) number and all installed applications using the function upAppinfos. It sends all of this data\r\nto the C2 server using the URL ending with /servlet/AppInfos.\r\nupAppinfos function used for obtaining the device IMEI and all of its installed applications.\r\nFakeSpy is able to check the network connectivity status by using the function isNetworkAvailable. What makes\r\nthis function more suspicious is the two strings written in Chinese characters:\r\n===状态=== (===Status===) - Checks whether the device is connected to a network\r\n===类型=== (===Type===) - Checks whether the device sees available nearby Wifi networks \r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 15 of 24\n\nisNetworkAvailable function used for monitoring network connectivity status.\r\nAnti-Emulator Techniques\r\nFakeSpy appears to use multiple techniques to evade detection via the emulator. It shows that the malware can\r\ndetect whether it’s running in an emulated environment or a real mobile device, and can change its code pattern\r\naccordingly. \r\nThe first example of this is in the onStart function, where the malware looks for the string “Emulator” and a x86\r\nprocessor model.\r\nAnti-emulator code.\r\nIn order to simulate this technique, we took two videos side by side of how FakeSpy (the Royal Mail sample)\r\nbehaves differently on a physical device versus an emulator.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 16 of 24\n\nFakeSpy behavior on physical device vs emulator (anti-emulator).\r\nThis simulation shows that FakeSpy behaves differently on a physical device versus an emulator. When executed\r\nthe second time by clicking on the app on the physical device, FakeSpy redirects to the app settings. In contrast,\r\non the emulator, a toast message is displayed that shows “Install completed”, at which point FakeSpy removes its\r\nshortcut from the device's homescreen.\r\nAnother example of FakeSpy’s anti-emulation techniques is how it uses the getMachine function, which uses the\r\nTelephonyManager class to check for the deviceID, phone number, IMEI, and IMSI. Some emulators build their\r\nphone number out of the default number created in the emulator software and the port number: 5554.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 17 of 24\n\ngetMachine function using anti-emulator technique.\r\nUnder Active Development\r\nAn analysis of new FakeSpy samples to old ones showed code discrepancies and new features. These artifacts\r\nindicate that FakeSpy's campaign is still live and under development.\r\nThe newer version of FakeSpy uses new URL addresses for malicious communication with FakeSpy. The function\r\nmain uses a DES encryption algorithm to encode these addresses. The examples below show the plaintext key\r\n“TEST” to decrypt encoded hexadecimal strings (jUtils.decrypt()). These encoded strings contain the new URL\r\naddresses not seen in older versions of FakeSpy.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 18 of 24\n\nComparing strings from an old FakeSpy sample to a new one.\r\nWho is Behind FakeSpy’s Smishing Campaigns?\r\nThe Cybereason Nocturnus team suspects that the malware operators and authors are Chinese speakers. Our\r\nfindings, along with previous research, indicates that the threat actor behind these recent campaigns is likely a\r\nChinese group dubbed “Roaming Mantis”. \r\nRoaming Mantis is believed to be a Chinese threat actor group first discovered in April 2018 that has continuously\r\nevolved. In the beginning, this threat group mainly targeted Asian countries. Now, they are expanding their\r\nactivity to audiences all around the world. As part of their activities, they are known for hijacking DNS settings on\r\nJapanese routers that redirect users to malicious IP addresses, creating disguised malicious Android apps that\r\nappear as popular apps, stealing Apple ID credentials by creating Apple phishing pages, as well as performing web\r\ncrypto mining on browsers.\r\nConnection to China\r\nChinese server infrastructure: FakeSpy applications send stolen information to C2 domains with .club\r\nTLDs and URLs ending with /servlet/[C2 Command] (mentioned above in the “Stealing Sensitive\r\nInformation” section). All of these domains are registered to ‘Li Jun Biao’ on Bizcn, Inc, a Chinese Internet\r\napplication service provider.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 19 of 24\n\nDomain profile example for one of the C2 servers.\r\nVirusTotal historical WhoIs lookup of the C2 server.\r\nChinese language traces in the code: During the investigation, the Cybereason Nocturnus team\r\ndiscovered code artifacts that may indicate Chinese threat actors. For example, we found several suspicious\r\nstrings written in the Chinese language in a function called isNetworkAvailable, previously discussed in\r\nthis blog:\r\nTwo suspicious strings written in Chinese found in FakeSpy’s code\r\nAn almost identical function is mentioned in an earlier research, that ties FakeSpy and other malware to the\r\nRoaming Mantis group. \r\nChinese APK names: Some of FakeSpy’s APK package names contain anglicized Chinese (Mandarin)\r\nwords that might be related to Chinese songs and lyrics, food, provinces, etc.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 20 of 24\n\nFakeSpy packages’ application ID names with references to their possible meaning.\r\nConclusions\r\nFakeSpy was first seen in October 2017 and until recently mainly targeted East Asian countries. Our research\r\nshows fresh developments in the malware’s code and sophistication, as well as an expansion to target Europe and\r\nNorth America. This mobile malware masquerades as legitimate, trusted postal service applications so that it can\r\ngain the users trust. Once it has been installed, it requests permissions from the user so that it can steal sensitive\r\ndata, manipulate SMS messages, and potentially infect contacts of the user. \r\nThe malware now targets more countries all over the world by masquerading as official post office and\r\ntransportation services apps. These apps appear legitimate due to their app logo, UI appearance, and redirects to\r\nthe carrier webpage -- all luring end users to believe it’s the original one.\r\nIn this blog, we showed that the threat actor behind the recent FakeSpy campaign is a Chinese-speaking group\r\ncalled “Roaming Mantis” known to operate mainly in Asia. It is interesting to see that the group has expanded\r\ntheir operation to other regions, such as the United States and Europe. \r\nThe malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous\r\nnew upgrades that make it more sophisticated, evasive, and well-equipped. These improvements render FakeSpy\r\none of the most powerful information stealers on the market. We anticipate this malware to continue to evolve\r\nwith additional new features; the only question now is when we will see the next wave.\r\nCybereason Mobile Detects and Stops FakeSpy\r\nCybereason Mobile detects and blocks FakeSpy’s malicious activity in real time to prevent any damage or\r\ncompromise to the infected mobile device. Furthermore, it offers the user the option to remove the malware and\r\nprevent further infection.\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 21 of 24\n\nThe Cybereason app detects and prevents FakeSpy malware (ex. Royal Mail version), while giving helpful\r\nrecommendations.\r\nIndicators of Compromise\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 22 of 24\n\nClick here to download this campaign's IOCs (PDF)\r\nThe 5 Most Pressing Mobile Threats for Enterprises\r\nMobile devices present a unique challenge for organizations, as end users are hammered with misleading\r\nadvertisements, confusing security messages, and apps with far greater permissions than necessary.\r\nThis guide contains what we have identified as the top five mobile threats faced by enterprises today.\r\nOfir Almkias\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 23 of 24\n\nSource: https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nhttps://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" ], "report_names": [ "fakespy-masquerades-as-postal-service-apps-around-the-world" ], "threat_actors": [ { "id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a", "created_at": "2023-01-06T13:46:38.823793Z", "updated_at": "2026-04-10T02:00:03.113045Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group" ], "source_name": "MISPGALAXY:Roaming Mantis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3", "created_at": "2022-10-25T16:07:24.546437Z", "updated_at": "2026-04-10T02:00:05.029564Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group", "Shaoye" ], "source_name": "ETDA:Roaming Mantis", "tools": [ "MoqHao", "Roaming Mantis", "SmsSpy", "Wroba", "XLoader" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446570, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90f5004f2e396cc0ef9cf949d0d2345da69ab6dd.pdf", "text": "https://archive.orkl.eu/90f5004f2e396cc0ef9cf949d0d2345da69ab6dd.txt", "img": "https://archive.orkl.eu/90f5004f2e396cc0ef9cf949d0d2345da69ab6dd.jpg" } }