Background

The RoamingMantis cybercrime group has been extensively blogged about, analyzed and discussed on different information security conferences and blogs since 2017. It is known to infect victims with the following range of malware families for the Android OS: FakeCop, FakeSpy, MoqHao and FunkyBot. The malware is meant to provide the criminals with access to the victims’ Android OS devices for further monetary fraud. Until now, the group has been known to focus mostly on Asian countries. It was attacking Europe back in 2018 as well, however we have found those campaigns to be not as organized as these new ones.

Image for post
Image for post
The image above is present on every FakeCop malware’s control panel

This trojan is usually delivered via SMS spam, containing links to a variety of different fake websites, which entice the victims to download and install a malicious component — in this case FakeCop. …


Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over 472,000+ installs in total. The malware — going by the name “the Joker” (which was borrowed from one of the C&C domain names) — delivers a second stage component, which silently simulates the interaction with advertisement websites, steals the victim’s SMS messages, the contact list and device info.

The automated interaction with the advertisement websites includes simulation of clicks and entering of the authorization codes for premium service subscriptions. For example, in Denmark, Joker can silently sign the victim up for a 50 DKK/week service (roughly ~6,71 EUR). This strategy works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message with a confirmation code and extracting it using regular expressions. …


The latest Android OS comes in countless varieties of vendor builds and versions. Are you aware of what else is countless about Android OS? It is the amount of complex and often privacy-invasive advertisement frameworks available. In addition, it seems that the aforementioned facts are being exploited for easy income.

Image for post
Image for post
https://play.google.com/store/apps/details?id=samsungupdate.com

The above eye-catching app exists on the official Android OS application store. How did the developer trick 10,000,000+ users into installing it? I am going to put my money on the fact that he or she named the app “Updates for Samsung”. It would be wrong to judge people for mistakenly going to the official application store for the firmware updates after buying a new Android device. …

About

Aleksejs Kuprins

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store