FakeCop Android Malware

The FakeCop malware is a threat that can take control over the victim's Android devices and perform numerous intrusive actions. An advanced version of FakeCop has been observed to be deployed in an attack campaign targetting Japanese users. The threat was hosted on numerous URLs connected to a free DNS service named duckdns. The same duckdns also has been abused as part of a phishing campaign targeting users from Japan. Infosec experts also believe that FakeCop can be spread via SMS, in a manner similar to other Android malware threats such as Flubot and Medusa.

Attack Details

To trick users, the FakeCop threat was injected into several weaponized applications that imitated legitimate security solutions popular in Japan. For example, one such fake application was modeled to appear as if it is from Anshin Security, a legitimate privacy service application published by NTT Docomo. In addition, the application also displays the icon for the Secure Internet Security application available on the Play Store.

When one of the unsafe applications is started, it will ask for 20 different device permissions. Afterward, it can abuse 12 of them to perform invasive actions on the device depending on the commands received from the Command-and-Control (C2, C&C) server of the attack operation. The modified FakeCop malware is capable of collecting personal information including contacts, SMS, apps list, account information, hardware details and more. It also can modify or delete the device's SMS database. If instructed, FakeCop can also send SMS messages without requiring any interaction from the victim. Apart from its spyware functionality, the threat also is capable of displaying content provided by the cybercriminals in the form of notifications.

Avoiding Detection

The observed FakeCop version is extremely elusive. The threat actor used a custom-made packer to mask the threatening behavior from security solutions using static detection. The hackers' custom packing techniques first encrypted the threat’s code and then stores it inside a certain file located in the assets folder.

In addition, the FakeCop variant performs a check for security solutions already present on the compromised device. Upon a match with a list of specific security apps, FakeCOp will generate a notification asking the user to modify, either uninstall or disable, the legitimate security programs. This way the threat ensures its persistence on the infected Android system.