At first it seems like email spammers relying on old tricks – but a further look into a new campaign spotted by security firm FireEye reveals that the messages are not spreading drive-by downloads or even peddling ordinary PC malware. Instead, attackers are beginning to drop Android malware, in this case FakeDefender, on phones via email.

In this case, the new campaign, relatively young at six days, relies on fake emails that appear to come from the United States Postal Service with messages that read: “USPS Notification: Courier couldn’t make the delivery of your parcel. Reason: Postal code contains an error,” asking users to “Print the Label.”

According to an entry by FireEye’s Vinay Pidathala on the company’s blog earlier this week, users just have to click on the featured link in the email – the print the label link – and the malicious .apk (Android Package File) is downloaded.

Researchers at FireEye went through HTTP requests and found nearly two-dozen URLs serving up the .apk, some disguised as LabelReader.apk.

As the security firm notes, this malware isn’t entirely new. It surfaced earlier this year and is known for deceiving users into “paying for cleanup of other non-existent infections on their device.” As long as the user pays the fee, the phone will purportedly remain uninfected with malware.

After it registers two broadcast receivers, the malware can also intercept incoming and outgoing calls and messages.

In some cases the malware uses different User-Agents to disguise itself – on one machine it can look like a mysterious .apk, but on another machine can masquerade as a .zip file, even something as harmless as “Wedding_Invitation_Chicago.zip,” for example.

While scareware like this can be prevented from being installed on most Android phones – it’s still a relatively new vector for a Android malware campaign, following in the footsteps of sorts of Windows malware.

Android users can disable the “Allow installation of apps from unknown sources” setting in their security settings to prevent mysterious apps from being downloaded. In the same section users can also choose to verify apps, which disallows or warns users before installing malicious apps as well.

Categories: Malware, Mobile Security

Comment (1)

  1. jamie
    1

    the FakeDefender series predates 6 days. the “DHL Pack Station malware” series from a few months ago, from the Asprox botnet, was where I first started getting these .apk files. They were pretty rare, early versions. There have been several series of spam runs since then. You mentioned the Wedding Invitations, and the Fedex series. The WhatsApp New Voicemail is another successor.
    The landing pages usually check user-agent strings also, and can fake a 404 message if you try too many times.
    http://techhelplist.com/index.php/spam-list/314-new-voicemail-notification-whatsapp-malware

Comments are closed.