Security experts have revealed a new malware campaign concentrating on Japanese users. The campaign leverages new spyware named FunkyBot. It is carried out by the same operators who’re responsible for FakeSpy malware. Per FortiGuard Labs, the malware hides a legitimate software to spread into a target’s system.
FunkyBot consists of two .dex files: one is a duplicate of the original software that the malware is impersonating and the other is malicious code.
As for the kill chain, a packer first determines the model of the Android phone so as to generate the right payload. After that, the payload is installed by calling the tactic ‘runCode’ class via Java reflection. This, in turn, begins a class called KeepAliceMain, which is utilized by the malware to gain endurance.
Researcher Dario Durando further noted that malware makes use of a unique way to communicate with the C2 server.
Once the connection to the C2 server is built, FunkyBot proceeds to collect information about the device, including IMEI number, IMSI number, and Phone number.
After it sends all of the device’s contacts, FunkyBot awaits the C2 server to respond with a telephone number and a message to construct an SMS.
The exciting aspect of the malware is that it recognizes the telecommunication provider by looking at the IMSI value of the targeted device. The IMSI value is composed of two halves: the first identifies the provider, and the second is unique to the precise device.
FunkyBot harvests a target’s contacts list to ease its propagation course. In its last stage, the malware alters the device settings to make itself the default SMS handler software.