{
	"id": "79714254-56db-4f40-b766-8f30bdf5d836",
	"created_at": "2026-04-06T00:21:39.490031Z",
	"updated_at": "2026-04-10T03:30:33.584927Z",
	"deleted_at": null,
	"sha1_hash": "f5c426e504d9d69600c4ca51dac955943f839e3e",
	"title": "FakeSpy Targets Japanese and Korean-Speaking Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8341017,
	"plain_text": "FakeSpy Targets Japanese and Korean-Speaking Users\r\nBy By: Ecular Xu Jun 19, 2018 Read time: 4 min (1046 words)\r\nPublished: 2018-06-19 · Archived: 2026-04-05 15:53:56 UTC\r\nSpoofing legitimate mobile applications is a common cybercriminal modus that banks on their popularity and\r\nrelies on their users’ trust to steal information or deliver payloads. Cybercriminals typically use third-party app\r\nmarketplaces to distribute their malicious apps, but in operations such as the ones that distributed CPUMINER,\r\nBankBot, and MilkyDoor, they would try to get their apps published on Google Play or App Store. We’ve also\r\nseen others take a more subtle approach that involves SmiShing to direct potential victims to malicious pages.\r\nCase in point: a campaign we recently observed that uses SMS as an entry point to deliver an information stealer\r\nwe called FakeSpy (Trend Micro detects this threat ANDROIDOS_FAKESPY.HRX).\r\nFakeSpy is capable of stealing text messages, as well as account information, contacts, and call records stored in\r\nthe infected device. FakeSpy can also serve as a vector for a banking trojan (ANDROIDOS_LOADGFISH.HRX).\r\nWhile the malware is currently limited to infecting Japanese and Korean-speaking users, we won't be surprised if\r\nit expands its reach given the way FakeSpy’s authors actively fine-tune the malware’s configurations.\r\nAttack Chain\r\nWould-be victims will first receive a mobile text message masquerading as a legitimate message from a Japanese\r\nlogistics and transportation company urging recipients to click the link in the SMS, as shown in Figure 1. The link\r\nwill redirect them to the malicious webpage, and clicking any button will prompt users to download an Android\r\napplication package (APK). The webpage also has a guide, written in Japanese, on how to download and install\r\nthe app.\r\nFigure 1: Sample SMSs containing links to the malware\r\nhttps://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html\r\nPage 1 of 10\n\nFurther analysis indicates that this campaign also targets South Korean users, and has been active since October\r\n2017. To Korean users, the information-stealing malware appears as an app for several local consumer financial\r\nservices companies. When targeting Japanese users, it poses as apps for transportation, logistics, courier, and e-commerce companies, a mobile telecommunications service, and a clothing retailer.\r\nFigure 2: The malicious webpage with instructions on downloading and installing the application\r\nhttps://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html\r\nPage 2 of 10\n\nFigure 3: Screenshots of the malicious apps in Korean (left) and Japanese (center, right)\r\nTechnical Analysis\r\nFakeSpy’s configurations, such as the command-and-control (C\u0026C) server, are encrypted to evade detection.\r\nOnce launched, FakeSpy will start monitoring for text messages that the affected device receives. These SMS\r\nmessages are stolen and uploaded to the C\u0026C server. To send commands via JavaScript, FakeSpy also abuses\r\nJavaScript bridge (JavaScriptInterfaceopen on a new tab) to invoke the app’s internal functions by downloading\r\nthen running JavaScript from a remote website. FakeSpy’s commands include adding contacts to the device,\r\nsetting it to mute, resetting the device, stealing stored SMS messages and device information, and updating its\r\nown configurations.\r\nFigure 4: FakeSpy’s encrypted configurations\r\nhttps://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html\r\nPage 3 of 10\n\nFigure 5: How FakeSpy uploads stolen text messages to the C\u0026C server\r\nhttps://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html\r\nPage 4 of 10\n\nFigure 6: FakeSpy using JavaScriptInterface to send commands\r\nhttps://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html\r\nPage 5 of 10\n\nFigure 7: Traffic from which attackers send the command to update FakeSpy’s configurations\r\nFakeSpy as a vector for a banking trojan\r\nApart from information theft, FakeSpy can also check for banking-related applications installed in the device. If\r\nthey match FakeSpy’s apps of interest, they are replaced with counterfeit/repackaged versions that imitate the user\r\ninterfaces (UI) of their legitimate counterparts. It phishes for the users’ accounts by ironically notifying users that\r\nthey need to key in their credentials due to upgrades made on the app to address information leaks. It also warns\r\nusers that their account will be locked. The stolen information is sent to the C\u0026C server once the users click on\r\nthe login button. Besides online banking apps, it also checks for apps used for digital currencies trading and e-commerce.\r\nFigure 8: Code snapshot showing FakeSpy checking for legitimate banking-related apps and replacing them with\r\nfake versions\r\nhttps://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html\r\nPage 6 of 10\n\nFigure 9: UI of the malicious app that phishes the user’s banking credentials\r\nhttps://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html\r\nPage 7 of 10\n\nFigure 10: Code snippets showing how the malicious app steals banking credentials\r\nEvading Detection\r\nFakeSpy’s author uses different approaches to hide and update the C\u0026C servers. It abuses social media by writing\r\nthe IP address on a Twitter profile whose handles are regularly modified. The IP address starts with ^^ and ends\r\nwith $$. When FakeSpy launches, it will access the Twitter page and parse its contents to retrieve the C\u0026C IP\r\naddress. FakeSpy’s author also abuses forums and open-source dynamic domain tools in a similar manner. To\r\nfurther evade detection, the C\u0026C server address configured into the apps are updated at least once per day. It’s\r\nalso worth noting that the cybercriminals behind FakeSpy are active, at least based on their activities on forums\r\nand the related URLs they register to host their malware.\r\nhttps://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html\r\nPage 8 of 10\n\nFigure 11. The Twitter pages that FakeSpy accesses to get the C\u0026C IP address\r\nhttps://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html\r\nPage 9 of 10\n\nFigure 12: FakeSpy using a forum (top) and dynamic domain tool (bottom) to hide the C\u0026C server\r\nBest Practices\r\nSMiShingopen on a new tab is not a novel attack vector, but with social engineering, it can lure or compel victims\r\ninto handing out personal or corporatenews- cybercrime-and-digital-threats data, or direct them to malware-hosting websites. Users should practice good security hygiene: think before clicking, download only from official\r\napp stores, and regularly update credentials and the device’s OSs and apps. Check for telltale signs of phishing,\r\nsuch as grammar errors or certain characters used to spoof a legitimate URL, and more importantly, beware of\r\nunsolicited messages that seem to give a sense of unwanted urgency.\r\nWe’ve coordinated with the affected organizations about this threat. A list of indicators of compromise (IoCs)\r\nrelated to FakeSpy is in this appendixopen on a new tab.\r\nTrend Micro Solutions\r\nTrend Microproducts™ Mobile Security for Androidproducts™ (also available on Google Playopen on a new tab)\r\nblocks malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its\r\nmultilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware,\r\nfraudulent websites, and identity theft.\r\nFor organizations, Trend Microproducts™ Mobile Security for Enterpriseproducts provides device, compliance\r\nand application management, data protection, and configuration provisioning, as well as protects devices from\r\nattacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking\r\nmalware and fraudulent websites.\r\nTrend Micro’s Mobile App Reputation Serviceopen on a new tab (MARS) covers Android and iOS threats using\r\nleading sandbox and machine learning technologies. It can protect users against malware, zero-day and known\r\nexploits, privacy leaks, and application vulnerability.\r\nSource: https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking\r\n-users.html\r\nhttps://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html"
	],
	"report_names": [
		"fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434899,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f5c426e504d9d69600c4ca51dac955943f839e3e.pdf",
		"text": "https://archive.orkl.eu/f5c426e504d9d69600c4ca51dac955943f839e3e.txt",
		"img": "https://archive.orkl.eu/f5c426e504d9d69600c4ca51dac955943f839e3e.jpg"
	}
}