This Spy has been spreading for the last couple of months using new registered domains leading to download Android malware. This threat impersonates fake Sagawa service. Contains worm spreading capabilities via text messages and could be threat to victim’s mobile banking services. Based on commands from attacker, it can download additional payload and make user install it as update.

I discovered this malicious campaign that started at the beginning of June 2018. At that time, I warned my followers about this threat and its distribution.

Don't download any application from "Sagawa Express" via SMS! #Japan 🇯🇵



Fake webpage "Sagawa Express" created 3 days ago makes user download Android mobile banking worm.

It spreads to all victim contacts via SMS. It can also steal mobile banking credentials. pic.twitter.com/Cjpi8TkaOM — Lukas Stefanko (@LukasStefanko) June 4, 2018



Distribution vector

This Android Spy is spread using social engineering technique on the potential victim through received text message from his contact list. User’s device sending this message is already compromised. SMS also contains link to fake Sagawa website that leads to downloading malicious app.

Content of send text message and link is received from the attacker once malicious app is installed and open.

Text message: お客様宛にお荷物のお届けにあがりましたが不在の為持ち帰りました。 下記よりご確認ください。hxxp ://sagawa-mama. com/

Translated: I got to deliver the package to the customer, but I took it home because I was away. Please confirm from the following. hxxp ://sagawa-mama. com/

Figure 1. Text message containing fake link



Infection vector and video analysis

In this code analysis I explain how it drops actual payload and what it does. Video starts with real case example how potential victim can get infected.



To conclude

Conclusion is really simple – never download any Android app from text message even though it could be sent from your family member, friend or wife.



IOC

Dropper: 537F667DD6AC725B14E8F9833AD39C73A5E19761



Payload: 086076FA7EF549FB6476342C14E543F4D63E9D04



C&C: 125. 227.174.32





References

FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users

FakeSpy Comes Back. New Wave Hits Japan

Androidを狙った、日本の宅配業者アプリを装うマルウェア