TianySpy Malware

TianaSpy malware is a mobile inforstealer that targets Japanese Android and iPhone users. The threat was spread via smishing messages, which is a common occurrence for threatening campaigns aimed at Android devices but is extremely rare to see one for iPhones. In fact, according to the report about the threat released by TrendMicro, this is the first time that they have seen a smishing attack to spread iPhone threats.

The infection chain begins with a lure SMS designed to appear a telecommunications company. The message contains a link to a compromised website. Once there, users are presented with instructions to download a supposed security software product but, in reality, they were getting the malware threat.

Alternate Bait Messages

Two different versions of the bait message were observed. The first one is delivered via a compromised SMS delivery service and can be translated into: 'Unauthorized access to your account detected. Please confirm.' (Original message is -【●●●】お客様がご利用の●アカウントが不正利用の可能性があります。ご確認が必要です). Both Android and iPhone users who accessed the link in this message were infected with TianaSpy.

The alternative bait SMS claims that 'Your payment could not be confirmed. Please confirm.'”(Original message is - ●●●お客様センターです。ご利用料金のお支払い確認が取れておりません。ご確認が必要です。) Researchers believe that these messages originate from devices infected with the Android malware threat 'AndroidOS_KeepSpy.GCL.' This second version of the attack also dropped TianaSpy on iPhone devices, but Android users were instead infected with KeepSpy.

Threatening Functions

TianaSpy may have been created to collect the victim's account credentials associated with the membership websites belonging to prominent Japanese telecommunication companies specifically. More specifically, the malware threat is capable of obtaining the infected device's Wi-Fi settings, running a corrupted JavaScript to harvest additional data, opening unsafe or fake sites, and exfiltrating the gathered information via email. In addition, TianaSpy can abuse WebView on Android devices to falsify the data displayed on the official site of a legitimate telecommunication company, especially the site's usage statement.