Authored by Yukihiro Okutomi
McAfee’s Mobile workforce noticed a smishing marketing campaign in opposition to Japanese Android customers posing as an influence and water infrastructure firm in early June 2023. This marketing campaign ran for a brief time from June 7. The SMS message alerts about fee issues to lure victims to a phishing web site to contaminate the goal units with a remote-controlled SpyNote malware. In the previous, cybercriminals have typically focused monetary establishments. However, on this event, public utilities had been the goal to generate a way of urgency and push victims to behave instantly. Protect your Android and iOS cellular units with McAfee Mobile Security.
Smishing Attack Campaign
A phishing SMS message impersonating a energy or water provider claims a fee downside, as proven within the screenshot beneath. The URL within the message directs the sufferer to a phishing web site to obtain cellular malware.
Notice of suspension of energy transmission due to non-payment of prices from an influence firm in Tokyo (Source: Twitter)
Notice of suspension of water provide due to non-payment of prices from a water firm in Tokyo (Source: Twitter)
When accessed with a cellular browser, it would begin downloading malware and show a malware set up affirmation dialog.
The affirmation dialog of Spyware set up through browser (Source: Twitter)
SpyNote malware
SpyNote is a recognized household of malware that proliferated after its supply code was leaked in October 2022. Recently, the malware was utilized in a marketing campaign focusing on monetary establishments in January and focusing on Bank of Japan in April 2023.
The SpyNote malware is remotely managed adware that exploits accessibility providers and system administrator privileges. It steals system info and delicate person info reminiscent of system location, contacts, incoming and outgoing SMS messages, and telephone calls. The malware deceives customers by utilizing legit app icons to look actual.
Application Icons disguised by malware.
After launching the malware, the app opens a pretend settings display screen and prompts the person to allow the Accessibility characteristic. When the person clicks the arrow on the backside of the display screen, the system Accessibility service settings display screen is displayed.
A pretend setting display screen (left), system setting display screen (middle and proper)
By permitting the Accessibility service, the malware disables battery optimization in order that it might probably run within the background and robotically grants unknown supply set up permission to put in one other malware with out the person’s data. In addition to spying on the sufferer’s system, it additionally steals two-factor authentication on Google Authenticator and Gmail and Facebook info from the contaminated system.
Although the distribution methodology is totally different, the step of requesting Accessibility service after launching the app is just like the case of the Bank of Japan that occurred in April.
Scammers sustain with present occasions and try to impersonate well-known firms which have a purpose to achieve out to their clients. The cellular malware assault utilizing SpyNote found this time targets cellular apps for all times infrastructure reminiscent of electrical energy and water. One of the explanations for that is that electrical payments and water payments, which was once issued on paper, are actually managed on the net and cellular app. If you need to study smishing, seek the advice of this text “What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe”. McAfee Mobile Security detects this menace as Android/SpyNote and alerts cellular customers whether it is current and additional protects them from any knowledge loss. For extra info, go to McAfee Mobile Security.
Indicators of compromise (IoC)
C2 Server:
Malware Samples:
| SHA256 Hash | Package identify | Application identify |
| 075909870a3d16a194e084fbe7a98d2da07c8317fcbfe1f25e5478e585be1954 | com.faceai.boot | キャリア安全設定 |
| e2c7d2acb56be38c19980e6e2c91b00a958c93adb37cb19d65400d9912e6333f | com.faceai.boot | 東京電力 |
| a532c43202c98f6b37489fb019ebe166ad5f32de5e9b395b3fc41404bf60d734 | com.faceai.boot | 東京電力TEPCO |
| cb9e6522755fbf618c57ebb11d88160fb5aeb9ae96c846ed10d6213cdd8a4f5d | com.faceai.boot | 東京電力TEPCO |
| 59cdbe8e4d265d7e3f4deec3cf69039143b27c1b594dbe3f0473a1b7f7ade9a6 | com.faceai.boot | 東京電力TEPCO |
| 8d6e1f448ae3e00c06983471ee26e16f6ab357ee6467b7dce2454fb0814a34d2 | com.faceai.boot | 東京電力TEPCO |
| 5bdbd8895b9adf39aa8bead0e3587cc786e375ecd2e1519ad5291147a8ca00b6 | com.faceai.boot | 東京電力TEPCO |
| a6f9fa36701be31597ad10e1cec51ebf855644b090ed42ed57316c2f0b57ea3c | com.faceai.boot | 東京電力TEPCO |
| f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422 | com.faceai.boot | 東京電力TEPCO |
| 755585571f47cd71df72af0fad880db5a4d443dacd5ace9cc6ed7a931cb9c21d | com.faceai.boot | 東京電力TEPCO |
| 2352887e3fc1e9070850115243fad85c6f1b367d9e645ad8fc7ba28192d6fb85 | com.faceai.boot | 東京電力TEPCO |
| 90edb28b349db35d32c0190433d3b82949b45e0b1d7f7288c08e56ede81615ba | com.faceai.boot | 東京電力TEPCO |
| 513dbe3ff2b4e8caf3a8040f3412620a3627c74a7a79cce7d9fab5e3d08b447b | com.faceai.boot | 東京電力TEPCO |
| f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422 | com.faceai.boot | 東京電力TEPCO |
| 0fd87da37712e31d39781456c9c1fef48566eee3f616fbcb57a81deb5c66cbc1 | com.faceai.increase | 東京水道局アプリ |
| acd36f7e896e3e3806114d397240bd7431fcef9d7f0b268a4e889161e51d802b | com.faceai.increase | 東京水道局アプリ |
| 91e2f316871704ad7ef1ec74c84e3e4e41f557269453351771223496d5de594e | com.faceai.increase | 東京水道局アプリ |
