An Android based phishing effort targeting consumers of Japanese telecommunication providers was discovered by researchers. Threat Actors behind this campaign has hosted multiple domains and spreads a fake version of the official Telecommunication network’s Android application. Upon analyzing the sample, we determined that the malware conducts phishing activities to steal credentials and session cookies. It then proceeds to upload this information to the attackers email through SMTP.

Attackers used numerous domains to disseminate a fake Android application from a telecommunications company. These were the observations:

  • Researchers uncovered over 2,900 credentials/cookies for 797 Android and 2,141 Apple mobile devices during this effort.
  • The malware-infected spoof app collects login information and session cookies.
  • The program requests a few permissions for the attacker to get information about the device’s network connections.

Once the malicious application is launched, it prompts users to connect to a cellular network while turning off Wi-Fi. The phony application directs you to the official website of the telecom’s payment provider. These are the next steps:

  • When a customer’s subscription is verified, the consumer is given a network PIN number. This PIN is used by subscribers to verify their identity or alter certain settings.
  • To lure victims, the app displays the legitimate payments URL in WebView and conceals malicious strings to prevent reverse engineering and discovery.
  • After the information is taken, it is transmitted through SMTP to an attacker’s email address.

Phishing is a frequent yet successful method that involves mimicking an official program of popular software. Furthermore, the perpetrators of malicious Android applications employ a variety of tactics to avoid detection by security software. Therefore, it is suggested that you never download programs from unknown third-party stores and always use the official app store