A new email spam campaign shows the messages are not spreading drive-by downloads or even peddling ordinary PC malware, instead, attackers are beginning to drop Android malware, in this case FakeDefender, on phones via email, researchers said.
The campaign relies on fake emails that appear to come from the United States Postal Service with messages that read: “USPS Notification: Courier couldn’t make the delivery of your parcel. Reason: Postal code contains an error,” asking users to “Print the Label,” said researchers at security firm FireEye.
Users just have to click on the featured link in the email – the print the label link – and the malicious .apk (Android Package File) ends up downloaded, said FireEye’s Vinay Pidathala on the company’s blog.
Researchers went through HTTP requests and found nearly two-dozen URLs serving up the .apk, some disguised as LabelReader.apk.
This malware isn’t entirely new. It surfaced earlier this year and can deceive users into “paying for cleanup of other non-existent infections on their device.” As long as the user pays the fee, the phone will purportedly remain uninfected with malware.
After it registers two broadcast receivers, the malware can also intercept incoming and outgoing calls and messages, the researchers said.
In some cases the malware uses different user-agents to disguise itself – on one machine it can look like a mysterious .apk, but on another machine can masquerade as a .zip file, even something as harmless as “Wedding_Invitation_Chicago.zip,” for example.
Scareware like this could end up prevented from installing on most Android phones. This approach is still a relatively new vector for an Android malware campaign, following in the footsteps of sorts of Windows malware.
Android users can disable the “allow installation of apps from unknown sources” setting in their security settings to prevent mysterious apps from downloading. In the same section users can also choose to verify apps, which disallows or warns users before installing malicious apps as well.