⚠️ Overview

FakeGram is an Android banking trojan first documented by Cleafy in August 2022, attributed to a threat actor tracked as Team Universe, who operates it as a malware-as-a-service (MaaS) targeting Brazilian financial institutions. It falls under the categories of credential stealer and overlay attack malware, leveraging fake login screens to intercept two-factor authentication (2FA) codes and credentials.

🔧 Technical Capabilities

FakeGram abuses Android’s Accessibility Service to perform overlay attacks on over 50 Brazilian banking apps, capturing credentials, SMS messages, and push notification content. It employs a C2 infrastructure using Firebase Cloud Messaging (FCM) for command delivery and WebSocket channels for exfiltration, enabling real-time theft of OTP codes. Persistence is achieved through device administrator abuse and hiding its icon after installation. Evasion techniques include checking for debugger presence, emulator detection, and dynamic code loading via DEX files. Propagation occurs primarily through phishing SMS messages with shortened URLs hosting the malicious APK.

📜 History & Notable Incidents

First observed in July 2022 by Cleafy, FakeGram was linked to campaigns targeting Brazil’s largest banks, including Banco do Brasil, Itaú, and Caixa Econômica Federal. In September 2022, a new variant added support for intercepting WhatsApp messages to bypass 2FA. No specific CVEs have been assigned, as the malware relies on social engineering and Accessibility Service abuse rather than unpatched vulnerabilities.

🔍 Detection Indicators

Indicators include package names like com.app.insta and com.seguranca.atualizacao; network IOCs include C2 domains such as fireio[.]xyz and sparkcloud[.]xyz. The malware creates a mutex named GlobalAppDeviceAdminLock and registers a device admin receiver titled DeviceAdmin. Behavioral signatures involve overlay views appearing on top of legitimate banking apps and persistent background service requests for Accessibility permissions.

☠️ Risk & Impact

FakeGram directly causes financial losses through unauthorized wire transfers and credit card fraud, with Cleafy estimating a daily attempt rate of over 1,000 infections during peak campaigns in Brazil. The malware primarily targets the fintech and retail banking sectors, compromising mobile users' credentials and 2FA tokens, leading to account takeovers and fund theft.

🛡️ Mitigation

Users should enable Google Play Protect and avoid installing APKs from untrusted sources; enterprises can deploy mobile threat defense (MTD) solutions like Lookout or Zimperium with detection rules for overlay attacks and Accessibility Service abuse. Install apps only from the official Google Play Store and review app permissions that request Accessibility Service access unnecessarily.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.