The latest very active SMS scam on mobile phones in Spain pretends to be the FedEx messenger, with a short message that reads the following: "FedEx: Your shipment is coming, track it here", followed by a link that leads us to download a malicious apk (Android application installer). As usual in these types of scams, the accents are missing.
2021 is being a very propitious year for this type of scams and deceptions. The SMS from the Post Office in the first days of January reached thousands of users with enormous intensity. Later, DHL was the delivery company that was used to mislead many users with the message "DHL: Your package is arriving, track it here: [página web que simula ser la de la empresa de mensajería]"It seems clear that impersonating messengers is the perfect new claim to get data on potential victims.
"fedex.apk": 7620fb910b3ac97b8d3ce4b42474b47efbf9f07d8d5e6203d8bfd37521b88b73 pic.twitter.com/BbNoXidD1H- MalwareHunterTeam (@malwrhunterteam) February 11, 2021
A fake Fedex app for Android and a giveaway scam on iOS
Given that attackers probably know that in Spain most people use Android smartphones, the scheme is only the same as that of Correos and DHL on that platform. That is, in Google's operating system, the link that comes to us via SMS redirects us to a website to download "Fedex.apk", a malicious application with which we can supposedly "track our package".
On iOS, when the mobile Safari user agent is detected, the web that loads is very different, and the scam is the classic warning that we have won an iPhone in a raffle, so that we will be asked to enter our data to receive it, upon payment of an amount.
Returning to the case of Android, which will be the most widespread, the apk file is again a malware installer that Chrome actually detects as malicious when downloading, something it tries to prevent us from. As in previous cases, the fake Fedex website urges us not only to download, but also, as it is an installer outside the Play Store, it tells us how to "install from unknown sources". This way, attackers know that they will bypass system security.
Once installed, the apk will ask for permissions to call, read contacts, read and send SMS, etc.. This is what the attackers are interested in, to get hold of our sensitive phone data, but also to get hold of our agenda to be able to send the scam SMS to the more people the better. This is how things go propaganda. If we give deeper permissions, which the Post Office application requested, uninstalling the apk will be more difficult because it will be protected. These permissions will have to be removed to uninstall later.
As was the case with the Correos apk, the Fedex apk not only follows the same scheme, but the package also has the name "com.tencent.mm", according to the analysis of VirusTotal, one of the best websites to analyze files malicious. In other words, the name of a Chinese multinational comes to the fore again, although it is not related to the scam. As always, if one of these SMS arrives, we must pay attention to the link very well, in addition to spelling.
In the case of the Fedex SMS, HTTPS is not used on the link, which should raise alarms. In addition, none of the messaging companies will send us this kind of message indicating how to install their application unofficially, instead of linking to the Play Store.