Cybersecurity researchers have discovered a new version of a well-known Android malware family called FakeCall which uses voice phishing techniques (aka vishing) to trick users into parting with personal information.
“FakeCall is an extremely sophisticated Vishing attack that uses malware to gain almost complete control over a mobile device, including intercepting incoming and outgoing calls,” said Zimperium researcher Fernando Ortega. said in a report published last week.
“Victims are tricked into calling fake phone numbers controlled by the attacker and mimicking the normal user experience on the device.”
FakeCall, which is also tracked under the names FakeCalls and Letscall, has been the subject of numerous analyses Kaspersky, Check Pointand ThreatFabric since its appearance in April 2022. Previous waves of attacks have mostly targeted mobile users in South Korea.
Names of malicious packages ie. dropper programs that carry malware are listed below –
- com.qaz123789.serviceone
- com.sbbqcfnvd.skgkkvba
- com.securegroup.assistant
- com.seplatmsm.skfplzbh
- eugmx.xjrhry.eroreqxo
- gqcvctl.msthh.swxgkyv
- ouyudz.wqrecg.blxal
- plnfexcq.fehlwuggm.kyxvb
- xkeqoi.iochvm.vmyab
Like other Android banking malware families that are known to abuse Accessibility Services APIs to take control of devices and perform malicious actions, FakeCall uses them to collect information displayed on the screen and grant itself additional permissions to necessary measures.
Some of the other spying features include capturing a wide range of information such as SMS messages, contact lists, location and installed apps, taking pictures, recording live feed from the rear and front cameras, adding and removing contacts, capturing audio, downloading images and impersonating a video stream of all actions on the device using the MediaProjection API.
Newer versions are also designed to monitor Bluetooth status and device screen status. But what makes the malware more dangerous is that it instructs the user to set the app as the default dialer, which gives it the ability to monitor all incoming and outgoing calls.
This not only allows FakeCall to intercept and hijack calls, but also allows them to change a dialed number, such as a bank number, to a fraudulent number under their control and lure victims into unintended actions.
In contrast, previous versions of FakeCall were found to encourage users to call a bank from a malicious app that impersonates various financial institutions under the guise of offering a loan with a lower interest rate.
“When a compromised individual attempts to contact their financial institution, the malware redirects the call to a fake number controlled by the attacker,” Ortega said.
“The malware will trick the user by showing a convincing fake user interface that appears to be a legitimate Android call interface, showing the phone number of a real bank. The victim will not be aware of the manipulation, as the fake interface of the malware will mimic the actual banking experience. , which allows an attacker to obtain sensitive information or gain unauthorized access to a victim’s financial accounts.”
The emergence of sophisticated new phishing strategies (aka mobile phishing) underscores the contraindication to improved security protections and the widespread use of caller ID applications that can flag suspicious numbers and alert users to potential spam.
In recent months, Google has also been experimenting with a security initiative that automatically blocks sideloading of potentially dangerous Android apps, including those that request accessibility services, in Singapore, Thailand, Brazil and India.
