An Android malware dubbed “FunkyBot” has started making the scene in Japan, operated by the same attackers responsible for the FakeSpy malware. It intercepts SMS messages sent to and from infected devices.
According to FortiGuard Labs, the malware (named after logging strings found in the persistence mechanism of the payload) masquerades as a legitimate Android application. The payload thus consists of two .dex files: One is a copy of the original legitimate application that the malware is impersonating, and the other is malicious code.
As for the kill chain, a packer first determines which version of Android the phone is running on, in order to generate the proper payload. After that, the payload is started by calling the method `runCode` class through Java reflection. This starts a class called KeepAliceMain, which is used as persistence mechanism by the malware.
“It uses an open source library that can be found on Github to keep the service alive on the device,” explained FortiGuard’s Dario Durando, in a blog this week. “It also allows the malware to mute sounds from the device.”
Interestingly, the malware uses social media to obtain the address for the command-and-control (C2) server. Durando said that it downloads the webpage of a photo-less Instagram account. It then extracts the biography field of this account and decodes it using Base64.
After the connection to the server is started, the malware proceeds to fingerprint the device, sending the IMEI, IMSI (International Mobile Subscriber Identity) and phone number to the attackers. This data is used to make decisions about later behavior.
“It is interesting to note that the malware identifies the provider of the SIM card and looks specifically for a specific Japanese telecommunication provider,” explained Durando. “To do so, it checks the IMSI value of the device. This value is composed of two halves: the first identifies the provider, and the second is unique to the specific device.”
It also harvests the victim’s list of contacts for propagation purposes; to wit, the C2 sends a telephone number and a message body to the malware, which it uses to generate an SMS message that will be sent to everyone on the list.
“The amount of exfiltrated information is relatively limited, especially when compared to bigger families like Anubis, Cerberus or Hydra,” Durando said. “However, like previous campaigns [like FakeSpy], it also features aggressive spreading techniques…to enable the malware to spread in a worm-like fashion.”
Going back to the fingerprinting, if the desired, specific provider is associated with the device, the malware increases the maximum number of SMS messages it allows itself to send.
“After some research, we concluded that this behavior might just be because the provider enables customers to send free SMS messages to each other, increasing the amount of traffic a single infected device is capable of generating before arousing suspicion,” Durando said.
And in its last stage, FunkyBot alters the device settings to make itself the default SMS handler application.
“[It] uses this to upload to the C2 all the received messages,” Durando said. “This functionality can be very dangerous, considering that most banks currently use two-factor authentication through SMS.”
Aside from the analyzed sample targeting Japan, FortiGuard also found others that were not completely developed and lacked some of the functionality of the main binary.
“[This suggests] that the malware is currently under development and is being tested in the wild,” Durando said. “The capabilities of this family are limited at the moment, but the fact that we were able to find different samples that showed significant improvement in the span of a few weeks shows that this family should not be underestimated.”
Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join experts from Nokia, iboss and Sectigo as they offer enterprises and other organizations insights about how to approach security for the next wave of IoT deployments. Click here to listen to the recorded webinar.
