Reports indicate that a Smishing campaign was conducted against Japanese Android users under the name of a Japanese Power and Water Infrastructure company. The SMS contains a link to lure victims into a phishing site.
The SMS alerts the users about payment problems in the water or power infrastructure to create a sense of urgency and push them to act swiftly.
The smishing campaigns have a different context for users, including suspension of power transmission due to non-payment and suspension notice of water supply due to non-payment.
Victims who visit these malicious URLs are prompted to install the SpyNote malware.
The source code of SpyNote was leaked in October 2022, after which it spread wide across cybercriminals and is being used for malicious purposes. SpyNote is capable of exploiting accessibility services and device administrator privileges.
It can also steal device location, contacts, SMS messages, and phone calls. Once the malware is installed, it appears with a legitimate app icon to look real.
When the victims open the application, it prompts them to enable the Accessibility feature.
If the victim grants permission, the application disables battery optimization, which allows it to run in the background, and also grants unknown source installation permission for installing another malware without the user’s knowledge or consent, read the McAfee blog post.
This malware was previously found to be attacking the Bank of Japan in April, in which the malware was distributed in a different method.
Threat actors keep up-to-date information about companies with legitimate reasons to contact their customers.
Indicators of Compromise
Command and Control Server
Smishing is one of the social engineering attacks used by threat actors to attack individuals who use SMS for communication. Users of mobile devices are recommended to keep an eye out for these kinds of Smishing campaigns and be vigilant.