Yanobi Gang: A Chinese group, which goes by the name Yanobi Gang, has been linked previously to using the Fakespy malware. Now the same group that was using Fakespy is using the malware Funkybot. Funkybot is currently targeting Japanese users, just like the group has done in the past. Funkybot consists of two .dex files, one being a copy of the application that the malware is impersonating and the other contains the malicious code. To begin infection, the malware will determine which type of Android phone the victim is using to generate the proper payload for that particular attack. Next, the “runcode” class is called through a Java reflection. This then starts the persistence for the malware called “KeepAliceMain.” Funkybot uses social media to obtain its C2, and downloads the webpage photo-less Instagram account. It then extracts the biography field of this account and decodes it using base64. The malware collects IMEI number, IMSI number, phone number and a list of contacts from the infected device. After the list of contacts is extracted, a fake number is used to generate a SMS message to the contacts, letting the malware spread in a worm-like fashion.
Methods like this have been seen with other malware. No one has called out that Yanobi Gang is behind this attack, but with the link between the Fakespy and Funkybot malware, it is possible it is the same attackers targeting these Japanese users as before.