FunkyBot Malware Intercepts Android Texts, 2FA Codes

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
An Android malware dubbed “FunkyBot” has started making the scene in Japan, operated by the same attackers responsible for the FakeSpy malware. It intercepts SMS messages sent to and from infected devices.

According to FortiGuard Labs, the malware (named after logging strings found in the persistence mechanism of the payload) masquerades as a legitimate Android application. The payload thus consists of two .dex files: One is a copy of the original legitimate application that the malware is impersonating, and the other is malicious code.

As for the kill chain, a packer first determines which version of Android the phone is running on, in order to generate the proper payload. After that, the payload is started by calling the method `runCode` class through Java reflection. This starts a class called KeepAliceMain, which is used as persistence mechanism by the malware.

“It uses an open source library that can be found on Github to keep the service alive on the device,” explained FortiGuard’s Dario Durando, in a blog this week. “It also allows the malware to mute sounds from the device.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top