Beware of SMS disguised as missing packages! Steal terminal information and encourage download of a fake Sagawa Express app "sagawa.apk" that can be remotely controlled
Kaspersky Co., Ltd. reported on its official blog that a fake site disguised as a Japanese delivery company's website was found, calling attention to it. By clicking on a shortened URL sent by SMS (Short Message Service) disguised as a missing package notification, you will be guided to a fake site and install a fake app there. According to Kaspersky's investigation, the fake app communicated with Taiwan when it was installed, sending information such as the device's IMEI and phone number.
The fake site is disguised as the Sagawa Express website, and the image of actor Yuji Oda, who is used in the company's TV commercial, is displayed at the top. Kaspersky has pointed out that it is difficult to distinguish it as a fake site just by looking at it on the small screen of a smartphone, although it is opened with the "gnway.cc" domain and is different from the "co.jp" domain of the official site. ing.
On the other hand, in the "Freight Tracking Service" section, there is a "Freight Tracking" button that is different from the official site, and by tapping the screen, the fake application "sagawa.apk" is downloaded. Unlike the official site, the lower part of the fake site also provides instructions on how to install "apps from unknown sources" on Android. Also, during installation, it asks for permissions such as reading contacts and receiving and reading SMS.
Fake site of Sagawa Express. In the "Freight tracking service" section, if it is a legitimate site, there should be an input box for "Inquiry invoice number." YesKaspersky explained that this fake app sends information such as SMS and contact list to the outside. Kaspersky products detect and block malware with the names "HEUR:Trojan.AndroidOS.Piom.qcd" and "HEUR:Trojan-Spy.AndroidOS.Agent.qa".
Kaspersky's official blog post is dated January 12th, but according to the data of the shortened URL (Google URL Shortener) that leads to the fake site, the shortened URL was created 11 days before the article was written. , and access from Japan accounts for the majority, exceeding 30,000. The site was temporarily inaccessible, but is said to be back up as of this writing. Kaspersky recommends that you avoid visiting suspicious URLs and be very careful with suspicious apps.
Analysis results of shortened URLs by Google URL Shortener (at the time of writing the relevant article on Kaspersky official blog. Image reprinted from Kaspersky official blog) However, the specific text that was confirmed was published on the website. "If you access the addresses listed in such spam emails or open the attached files, you may be infected with a computer virus, so please be careful."Most recently, on December 28, 2017, the latest example of the text was updated. Google's shortened URL (goo.gl) was delivered by SMS disguised as an out-of-office notification, and a new case was announced that led to a fake site. The text of the SMS is as follows.
Notification The package was delivered to the customer, but he was not there.
[Addendum 18:10] Trend Micro Co., Ltd. also reported on the results of their investigation into this fake site/fake app in their official blog post dated January 15th. This application is a backdoor-type malicious application, and it is said that the following terminal information is sent to the attacker's remote control C&C server.
In addition, it is said that various unauthorized activities will be carried out according to the commands received by the application, and that the following unauthorized activities can be remotely executed by attackers.
In addition, since the APK file was not downloaded even when accessing the fake site on the iPhone, it is believed that the behavior is changing depending on the device that accessed the fake site.
In addition, according to the current verification, Trend Micro was unable to connect to the C&C server and was unable to investigate what kind of fraudulent activities were actually being carried out. However, the contents of the available commands can be broadly divided into activities such as "locking the screen and disabling the device", "stealing contact information and SMS information", and "installing other malicious apps". Described as presumed. "By combining these activities, an attacker can steal information on the device, lock the screen and demand a ransom, etc."
Trend Micro products detect this malicious app as "AndroidOS_Wroba.U".
According to Trend Micro, an SMS with the same content was confirmed to spread around December 24th of last year, but has been spreading again since around January 11th this year. In the future, it is said that similar spam emails and SMS will continue to spread, and it is calling attention by stating the following.
The sender is also displayed in the form of a phone number in SMS, but if it is from a delivery company, it is not strange to have a number that you do not know. This type of mistyping is common in everyday life.Since SMS has a character limit, there is no sender information in the text, and the URL in the text. If it is a shortened URL, it cannot be said that it is a condition that can be judged as suspicious."
``One of the countermeasures for the tricks that try to lead you to dangers on the Internet is to know the tricks and avoid being deceived. Please check before accessing.In addition, if the information is unknown before accessing due to a shortened URL, etc., please check whether the URL displayed on the browser after accessing is genuine."
