SmsSpy Android Malware Goes After Japan-based Users
High-profile threat actors have been gradually paying more and more attention to mobile devices. One of the Advanced Persistent Threat (APT) actors specializing in attacks against Android mobile devices is Roaming Mantis, and one of their recent campaigns introduced a new piece of malware called SmsSpy. The threat is Android-exclusive, and it appears to have been used against Japanese users since January. The threat has received several updates over the past few months, but its core functionality appears to remain unchanged.
The criminals behind the SmsSpy Malware are tracked under the alias Roaming Mantis, and their recent campaign uses a peculiar strategy to approach victims – smishing. Smishing is a term used to describe a phishing campaign executed through text or SMS messages. Typically, the criminals behind such campaigns impersonate legitimate companies and entities and then make attractive offers to recipients. In the case of the SmsSpy Malware, the Roaming Mantis hackers impersonated Bitcoin operators or transport companies that offered assistance with various issues.
The SmsSpy Malware link was found in these messages, and users who downloaded it would end up unknowingly infecting their device. If the device uses Android 9 and below, the malicious app would pose as a copy of Google Chrome, while Android 10 and above would pose as a Google Play app.
As the name of the threat suggests, SmsSpy specializes in extracting data from the user's text messages, as well as intercepting incoming texts. Furthermore, the criminals can use the implant to hijack the victim's contact list. Since the malware poses as a legitimate app or service, manual removal might be very difficult.
The smishing campaign involving the SmsSpy Malware is still ongoing. Users should protect their Android devices with the use of reputable antivirus apps.