SmsSpy Malware Description
The smishing campaign carried out by the Roaming Mantis hacker group is still evolving. The primary targets of the operation have been users from Asian countries but now the hackers have deployed a new malware named SmsSpy that is designed to infect Japanese users specifically. The main goal of the malware strain is to collect phone numbers and SMS messages from the compromised Android devices. The threat is capable of deploying two different versions, depending on the user's Android OS version leading to a substantial increase in potential victims.
Initial Compromise Vector
The attack begins with phishing SMS messages that lead users to a corrupted webpage. The exact text of the fake message may vary as the cybercriminals could pretend to be a logistics company that needs confirmation for some service from the user. In another scenario, users are supposedly being warned about problems with their bitcoin account, and are instructed to follow the provided link to verify their login information.
The phishing page will then check for the Android version of the user's device to determine the following steps of the attack. On devices running Android OS 10 or later, the malware threat will be deployed as a fake Google Play application. For devices using Android 9 or earlier, a fake Chrome application will be downloaded instead.
The Threatening Functionality of SmsSpy
Once installed, the harmful application will request to be set as the default messaging application for the device to gain access to the victim's contacts and SMS messages. The notification screen displayed to the user matches the version of the application that has been downloaded. The Google Play variant poses as a security service that will supposedly provide virus, spyware, anti-phishing and spam mail protection. As for the fake Chrome application, it warns users that not accepting its permissions requests could lead to the application not being able to start or limiting its functions.
Afterward, SmsSpy will hide its icon and attempt to establish communication with its Command-and-Control server through a WebSocket communication. The default address is embedded into the malware's code, but it also has link information that activates whenever the C2 server location needs to be updated. The C2 servers are usually hidden in the user profile page of a blog service, but some samples also have been observed to use a Chinese online document service for the same purpose.
During the initial handshake, the SmsSpy malware sends system details about the infected device, including the Android OS version, phone number, device model, a unique device ID and internet connection type. The threat will then enter into a listen mode, where it lays dormant while waiting for incoming commands. The attackers can exfiltrate the entire contact book and SMS messages, send and delete SMS messages and more.