Fake post-office apps are trying to steal your money — avoid these now

us postal service
(Image credit: Michael715 / Shutterstock.com)

Security researchers have discovered a new strain of malware that masquerades as postal services from multiple countries.

According to information-security firm Cybereason, a new campaign involving FakeSpy -- an Android information-stealer that previously attacked victims in South Korea and Japan -- is now targeting users in the US, UK, Germany, France, China, Taiwan and Switzerland.

First discovered in 2017, FakeSpy is capable of sending malicious text messages, spying on sensitive data like account details and contacts, compromising banking and card details, and pilfering account data. 

FakeSpy relies on a technique called SMS phishing, whereby hackers distribute malicious text messages that purport to be from a legitimate organisation so that the victims are encouraged to click on links. 

But over the past few years, the malware has become more powerful, has developed new features and is now compromising users on a global scale. 

“FakeSpy is very interesting because it has been in the wild since 2017; now its latest campaign indicates that it has become more powerful!" Cyberreason writes in its report. "Code improvements, new capabilities, anti-emulation techniques, and new global target audience all suggest that this malware is well maintained by its authors."

Global targets

In its new campaign, FakeSpy victims receive a message claiming to be from a local postal service. However, the content of the message is fake and includes a malicious link.

The text messages purport to be from legitimate postal services such the U.S. Postal Service, the Royal Mail (UK), Deutsche Post (Germany),  La Poste (France), Japan Post (Tokyo), Yamato Transport (Japan), Chunghwa Post (Taiwan) and Swiss Post (Switzerland).

Once users click on the link in the text message, they’re taken to what looks like a convincing website of a postal provider. Here, they’re asked to install an Android app from this company, but it’s actually the FakeSpy APK.

“Cybereason has observed that each of the fake applications are built using WebView, which allows the developer to show a webpage,” said the researchers.

“In this scenario, the malicious FakeSpy apps redirect users to the original post office carrier web page. Between this, these applications’ icons, and their UIs [user interfaces], they appear legit and can easily lure the user to believe it’s the original application.”

Dangerous results

After the Android app has been downloaded and given various device permissions, its stealing capabilities soon come into effect. 

The malware is capable of stealing contact lists, mobile numbers and device information, and also looks for banking and cryptocurrency apps installed on the infected hardware. 

Assaf Dahan, head of threat research at Cybereason, told Tom’s Guide: “Hackers prey on consumers and individuals because they are the weakest link in the game of chess that goes on constantly between hackers and corporations and hackers and consumers. 

“To minimize risk, users should apply critical thinking and be suspicious of SMS messages containing links. If they do click on a link, they need to check the authenticity of the webpage, look for typos or wrong website name, and most of all -  avoid downloading apps from unofficial stores.”

To that, we'd add that you should never download or install an app that is offered through a website. Go to the Google Play Store instead and search for the app there. And as always, one of the best Android antivirus apps will help detect and defeat mobile malware.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!