Cyble-Malicious-Fake-App Targetting-Japanese-Telecommunications-Network

Threat Actor using Malicious Fake App to target Customers of Major Japanese Telecom Service

During our routine threat hunting exercise, Cyble Research Labs came across an Android malware sample which raised red flags since it was linked to a phishing campaign primarily targeting customers of telecommunication services in Japan.

In an increasingly interconnected world, Telecommunications is the primary enabler to connect with each other. From email and messaging to phone and video calls, we rely on the Telecom industry heavily. This is also reflected in our businesses, workplaces, and infrastructure which are all reliant on modern telecommunication servers.

This ubiquity, combined with our reliance on them, makes telecoms a major target for cybercriminals. One of the main techniques is to target subscribers of Telecom networks and by extension their mobile devices.

An example of one such technique is infecting mobile devices with malware to exploit payment services and collecting personal information. We have covered one such incident in this analysis.

According to our research, the Threat Actor(s) (TA) behind this campaign has hosted multiple domains and spreads a fake version of the official Telecommunication network’s Android application. Upon analyzing the sample, we determined that the malware conducts phishing activities to steal credentials and session cookies. It then proceeds to uploads this information to the TA’s email through Simple Mail Transfer Protocol (SMTP).

Post analysis, our team has studied the attacker’s activities and the stolen data residing in the TA’s Infrastructure, which is covered in the below analysis.

Technical Analysis

APK Metadata Information

App Name: NTT*****

Package Name: com.******.cookie

SHA256 Hash: *******8e7733db22645fee95482dccf5260dcd******0de77d2120c3845

Figure 1 shows the metadata information of the application.

Figure 1: Metadata Information

Figure 2 shows the malware has the icon and name of a major Japanese Telecom company.

Figure 2: Application Icon and Name

Upon simulating the application, it requests that the users turn off their Wi-Fi and log in with their network PIN, as shown in Figure 3.

Figure 3: Request to Turn Off Wi-Fi and log in with Network Pin

Manifest Description

The fake app requests two permissions, of which the attackers could abuse one to get information about network connections on the device.

The dangerous permission is mentioned below.

ACCESS_NETWORK_STATEAllows the app to view information about network connections.
Table 1: Permissions’ Description

Upon reviewing the application’s manifest, the malicious app’s launcher activity was identified, as shown in Figure 4.

Figure 4 Launching Activity

Malware Behavior

As mentioned earlier, the fake app initially requests the users to connect to the cellular network by disabling Wi-Fi as soon as it is launched.

Upon connecting to the cellular network, the malware displays the Telecommunication’s payment service official webpage through WebView and asks the user to log in with their Network PIN, as shown in Figure 3.

A Network PIN is a four-digit number that is assigned to the customer when the subscription is finalized.

If the subscriber wants to verify their identity or change various settings, they will require this PIN.

The code used to display the official website using WebView is shown below.

Figure 5 Code to display the official payments URL In WebView

As highlighted in Figure 5, the malware hides these strings as encrypted in the code to restrict reverse engineering and detection by security software. The decryption code used by the malware is given below.

Figure 6 Encryption and Decryption Code

The official payment service webpage page URL (post decryption): hxxps://payment2.smt.*****.ne[.]jp/smph/history/gadap031.srv

Post login, the malware collects the victim’s credentials, including Network PIN. Along with that, it also steals the session cookies of the user’s telecom payment service account.

The malware invokes a JavaScript (JS) code to the logged-in webpage loaded inside the WebView. It then proceeds to steal the credentials from the webpage content. The JS code used for credential-stealing is shown below.

Figure 7 Malicious JavaScript Code

Additionally, the fake malicious app collects the logged-in session cookies using Cookie Manager API and initiates sending the information through the mail, as shown below.

Figure 8 Code to steal Session Cookie

The malicious app collects and sends the information as email content to TAs email account with the help of SMTP protocol. We also identified two email IDs from this code. The code used to send the email to the TA is shown below.

Figure 9: Code to send an email with victim’s information to TA’s account

Our research team decrypted all the strings in the malware’s code.  

Based on our findings, we studied the attacker’s endpoint, where the TA stores the customer’s stolen credentials/cookies.

Figure 10 shows the endpoint where the TA has stored the credentials.

Figure 10: Victim’s data in TA’s email account

Upon analyzing the entire data in the TA’s account, we found 2900+ credentials/cookies both from Android and Apple users. This stolen data is divided between devices as below:

  • 2141 Apple mobile device victims.
  • 797 Android victims.

Additionally, we found a Gmail account associated with the TA. This account is added as a recovery email in TA’s email. The details are shown in the figure below.

Figure 11: TA associated Gmail account set as recovery email


The Threat Actors behind malicious applications are constantly adapting and using various sophisticated techniques to avoid detection. Such malicious applications masquerade as legitimate applications to trick users into installing them.

Users should only install applications from the official App portals such as the Google Play Store and the official Apple App Store to secure themselves from such attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

  • Download and install software only from official app stores like Google Play Store & Apple App Store
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • If you find this malicious application on your device, uninstall, or delete it immediately. 
  • Use the shared IOCs to monitor and block the malware infection. 
  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Keep your devices, operating systems, and applications updated to the latest versions. 
  • Use strong passwords and enable two-factor authentication.  

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204.002User Execution: Malicious File
Defense EvasionT1444Masquerade as Legitimate Application
Credential AccessT1539Steal Web Session Cookie
CollectionT1507Network Information Discovery
Defense EvasionT1406Obfuscated Files or Information

If you are interested in a detailed list of IOCs, please reach out at

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

Comments are closed.

Scroll to Top