In the last few hours, the number of people affected by the SMS scam is skyrocketing. It is one of the most dangerous and sophisticated Trojans in the history of Android , with aggressive behavior, capable of practically controlling the device completely.
We have installed the fake FedEx app to check how it works and what it does exactly. To understand even better the technical operation of the app we have had the help of Linuxct , an expert developer in this field. We already anticipate that it is even worse than we could imagine in the first instance , since it has behaviors that are not common even in these cases of malware.
The package to pick up scam process begins with an SMS. It comes to your phone, from a Spanish phone and with your name . It can reach both an iPhone and an Android, although the mechanisms used in each operating system is different, affecting only Android.
The content of this SMS is a text that tells us that we have a package to collect and that, to do so, they need our data. In this text there is a link that leads to a web page that simulates the FedEx page, in the case of Android. In iOS, third-party files cannot be installed so easily, which is why we miss advertising and fake websites that simulate a raffle for an iPhone. Returning to the interface shown on Android, this website only has a button to download an APK file , which is responsible for all this.
This file is called FedEx.apk, and has a weight of between 3.8 and 5.8 megabytes, depending on the version we install. The app is constantly changing , so these figures may vary. Currently, when we download the APK, Google warns us that it may be a malicious app and, in fact, it is already registered in Google Play Protect, the protection service that Google has so that we do not download malware. Although Google is aware that it is a malicious file, it can be installed on Android if we accept it.
Before installing it, a few alarms go off. First of all, as we have anticipated, Google Play Protect warns us that it can be a harmful app . Second, as soon as we open the app, it tells us that it needs accessibility controls to work and, finally, it asks for full device controls. Special permissions that you would not have to ask for and that will give you control over our mobile.
This is the APK that completely controls the phone
The first thing the app does is show a panel in which it tells us that the accessibility service must be activated to use FedEx . If we accept, the Android accessibility menu will open (manual path settings / accessibility).
Once at this point, Android describes what the accessibility permission allows. In this case we are talking about a full control permission over the device . In fact, the message literally says “Do you want to allow FedEx to fully control your device?” In case of accepting, the application is able to carry out two key points.
- View and control the screen: the app is capable of reading all the contents of the screen and showing contents on other applications . That is, it can read all your passwords, messages, contacts and content on your phone.
- See and perform actions: the app can record interactions with the phone, even if they come from hardware sensors , as well as interact with other applications on our behalf.
To give you an idea of the depth of giving full control to an application (which is capable of acting by itself on the system settings), these are some of the key permissions to which it has access, as reflected in the analysis of the APK file in Virustotal.
|PHONE||android.permission.READ PHONE STATE
|BACKGROUND OPERATION||android.permission.REQUEST IGNORE BATTERY_OPTIMIZATIONS|
The translation of these permissions is that, once we give it accessibility permission , the application grants itself permissions through a process known as tap-jacking , which abuses said accessibility permission to record touches on the screen using software. Thus, it is able to give itself permissions to:
- Read call log
- Read and send SMS
- Read your contact book
- Read phone status (on call, connected to mobile data network, phone identity, etc.)
- Stay active in the background and disable battery optimizations
- Read all the content on your screen and running applications
- See what applications the user has installed
- Uninstall applications on behalf of the user
- Read data from clipboard
As we can see, the app is capable of writing, sending and receiving SMS , accessing our contacts, making calls, connecting to the internet and running constantly in the background. In the same way, in its latest version, it hides its icon in the launcher to prevent us from deleting it, as we will detail later.
Another relevant point of the file is that it is capable of updating itself , by executing dynamic code downloaded from the internet. In other words, code that can be changed (updated, modified) coming from the network . This code is downloaded from a CnC (command and control) server, through which it communicates in an encrypted way. This communication is especially dangerous as it allows the phone to constantly send data . Any data you collect from the user can be sent to the CnC server. The summary here is that the behavior of the app is changeable , which makes it even more dangerous.
The first steps of the app on our phone
After giving you permissions, the app has free will to move around the system. So much so that the first thing it does is set itself as the default messaging app . This manual process, which should be in the hands of the user, is automated so that the app can do it itself. If we want to reverse the process, Android shows us the error “this action cannot be performed in a system service”, closing the settings directly, so that we cannot do anything .
It manages to close the settings by making three taps on home without us noticing. That is, as soon as we chase the app and it feels “attacked”, press start three times so that we return to the home screen and we can access the necessary settings to uninstall it.
Not only is it set as the default messages app, but if we try to open Google Messages or the app that we had before as default, it is superimposed on top of it to show its interface . In this way, whatever we do, we will go through this application, which will read the SMS, will have the possibility of writing and sending them in the background, as well as having full access to our contact list. This list of contacts goes to a database that will receive the SMS again, and from the contacts that fall for the scam, you will have more contacts still to continue growing. This means that we may have extra charges for SMS sent without our permission .
The most shocking thing is that there is no way to delete this application for good because, every time we try to access it either from the apps menu or from accessibility to revoke permissions, it automatically closes the settings , as we have indicated. Thus, we have an application capable of reading the passwords of the phone, the SMS and acting at its own will, without being able to stop it on our own.
How it is able to steal accounts and bank details
As we have indicated, this application has all the possible permissions to access the contents of our screen. You just have to open the bank’s application and see, literally, the password that we put in it . For this, the app shows a false window when we open the banking app, and through this false window our credentials can be stolen. Similarly, it is technically possible for it to grab any credential without even displaying a fake window, as it records the information on the screen and can capture it.
In the same way, you have full access to our SMS , so you can steal any data from the DNI linked to the bank or other service in which we have entered it. With a DNI number and an SMS verification of which we are not aware, these data can be used to log into our bank account, both from the terminal and from outside.
With all this information and the SMS permission (remember that it can read, write, send and receive without us knowing), the app has a free hand to transfer money with our credentials and verify by SMS without us even noticing. Likewise, the app is capable of detecting if there is a banking application installed to attack it directly.
How to uninstall this app
There are three main ways to eliminate this application: from the phone itself or from the PC. The easiest way is to use safe mode. This is the way that Android has so that only the basic apps of the system run, designed precisely to be able to uninstall those that cause problems. Safe mode is accessed very easily in most phones, although it changes in others.
On mobile with pure Android and similar
You simply have to press and hold the shutdown option , which will allow you to restart in safe mode.
On Samsung mobiles
To activate safe mode on a Samsung follow these steps:
- Turn off the device
- Press and hold the Power key until the name of the phone appears on the screen
- When “ SAMSUNG ” appears on the screen, release the Power key
- Immediately after releasing the Power key, press and hold the Volume Down key.
On Huawei phones
In Huawei phones these are the steps to activate the safe mode.
- Turn off the phone
- Press the power button and the volume button +
- Wait until a new screen appears
- On this screen, click on ‘Safe Mode’
This mode disables all the applications that have been installed , so this APK will not be able to run, but it can be uninstalled manually. The route is as follows:
- Open the phone settings
- Go to the applications menu
- Search for FedEx and click on it
- Hit ‘uninstall’
Second, format the factory terminal , as you have detailed in Engadget, eliminates all third-party applications as well as the files that may remain on the mobile. Due to the diversity of layers of customization that exist in Android, some include it in the Backup section, others in User Accounts, others in Security. If you are unable to find it, use the search engine at the top to search for “restore” or “reset . ” To perform a format you have to follow these steps.
- Open the phone settings
- Put in the search engine “restore” or “reset”
- Click on the option to “delete all data” or “delete all”, etc.
- Wait for the phone to reboot completely
Finally, the most complicated and expert-focused method is to remove the application using ADB commands . In short, we will use the Windows or macOS command console to remove the application from there. First of all, it is necessary to have the ADB drivers installed, both in Windows and macOS.
Once we have the ADB Drivers installed, we will have to activate USB debugging from the developer options. To get there, you have to follow these steps.
- We open the phone settings
- We go to ‘about the phone’, ‘information about the phone’ or similar
- We look for ‘build number’ and click on it seven times
- We return to the settings menu
- Click on ‘system’
- Click on ‘advanced options’
- We go to the developer options
- We activate the ‘USB debugging’.
Once we activate the USB debugging, we connect the mobile to the PC and open a command console . In the case of Windows we do it by entering the word ‘terminal’ in the search bar, while in macOS we will do the same, in this case in the search magnifying glass.
Once we have connected the mobile we will have to perform these steps to remove the application :
- Open command console
- Type “adb shell”
- Type the command “pm uninstall http://com.tencent.mm”
Clever. In this way, the application will be removed from your phone and should not cause problems again. As always, in these cases, we recommend taking special care with external APKs , especially if the operating system itself tells us that it can pose dangers.