Android spyware found to be spreading as antivirus software in Japan

A new variant of Android information-stealing software called “FakeCop” has been discovered by Japanese security researchers, who announced that the malicious APK is being distributed

First discovered by Japanese security researcher Yusuke Osumi, the malware is being distributed via a phishing attack posing as KDDI.

In addition, only 22 of the 62 AV engines registered at VirusTotal detected the attacker, indicating that the attacker is operating in hiding.

Posing as a general security tool

Cyble, a cybersecurity company, named the malware “FakeCop” and reported that it poses as “Anshin Security,” a popular anti-virus product in Japan. jp/service/anshin_security/

Researchers have analyzed this malware and say that this new spyware has the following features.

  • Collecting SMS, contacts, account information, app list
  • Modifying or deleting SMS in device database
  • Collecting device hardware information (IMEI)
  • Sending SMS without user’s knowledge

This spyware asks the user to grant a number of sensitive permissions to perform this function, as shown below.

  • Permissions requested by FakeCop
  • Permissions requested by FakeCop

Security software typically requires high permissions to scan and remove detected threats, so if a user receives such a request from AV software, they are more likely to grant it.

An attempt to avoid detection

The malware authors also use a custom packer to interfere with static detection while hiding the actual behavior of the app.

The malicious code is Bitwise XOR encrypted and stored in a file in the assets folder, which is only decompressed when called by a subclass of a specific app.

In addition, FakeCop proactively scans the list of apps on the device and pushes a notification to the user to uninstall any antivirus apps found.

Hard-coded AV solutions that encourage users to remove malware include Anshin Security, McAfee Security, and Docomo Anshin Scan.

As for how FakeCop reaches its victims, Cyble’s OSINT research has revealed two distribution channels: one is via SMS with malicious links, and the other relies on phishing emails.

The free dynamic DNS called “” that is being used as the delivery mechanism has been used before to deliver “Medusa” and “Flubot”, so it is possible that this campaign is tied to the same operator.

As a general rule, avoid clicking on URL links sent to you via SMS or email, and also avoid installing APK files from sources other than the Google Play Store.

Also, please periodically check to see if “Google Play Protect” is enabled, and be sure to check for permissions when installing new apps.