Introduction
FakeCall is a sophisticated Android banking Trojan that poses significant risks to users by intercepting calls to bank customer support, leading to potential data and financial loss. Initially identified by Kaspersky in 2022 [8], this malware employs advanced techniques such as voice phishing and overlay attacks to deceive users into believing they are interacting with legitimate bank representatives. Since its emergence in 2021, FakeCall has evolved to impersonate over 20 financial institutions, primarily targeting South Korean users [1] [5], and has expanded its language capabilities to include English, Japanese [4], and Chinese [4].
Description
FakeCall is an advanced Android banking Trojan that specifically targets users by taking over the phone’s dialer to intercept calls made to their bank’s customer support, significantly increasing the risks of data and financial loss. Initially reported by Kaspersky in 2022 [4] [8], this malware employs sophisticated voice phishing techniques, known as vishing, and overlay attacks to deceive victims into believing they are communicating with legitimate bank representatives [3]. Since its first identification, FakeCall has evolved to impersonate over 20 financial organizations [3], enhancing its ability to defraud users. Originally appearing in 2021 and primarily affecting South Korean users [1], the malware mimics authentic banking interfaces, including real bank phone numbers and trusted contact information, to create a convincing user experience [1].
The malware is typically spread through seemingly harmless Android Package Kit (APK) files, often downloaded via phishing links or delivered through phishing emails that trick victims into executing the malicious file. Once installed, FakeCall requires users to grant it permission to become the default call handler [4], allowing it to hijack both incoming and outgoing calls without raising suspicion. This capability enables attackers to create a fake call interface that mimics the legitimate Android dialer [3], displaying convincing contact information to further deceive victims. When users attempt to call their bank [1] [3], the call is redirected to a hacker-controlled number [1] [3], where sensitive information can be extracted [3]. The latest variant enhances its capabilities by intercepting calls [1], collecting sensitive data [1], and gaining remote control over infected devices [1] [7], including the ability to record audio, capture video [1], and monitor Bluetooth status [8]. Additionally, it can simulate clicks and gestures [6], potentially facilitating further infections [6].
Identified by Zimperium’s zLabs team [7], FakeCall has been tracked since at least 2022 and exploits mobile functions, including voice and SMS capabilities [7], to execute its attacks. Recent findings revealed 13 new variants of FakeCall that are heavily obfuscated [4], making detection more difficult [4]. This obfuscation involves hiding malicious code in a dynamically decrypted dex file and shifting some functionalities to native code for better evasion. Researchers have linked these new variants to the original Trojan through similarities in services and activities [4]. Initially supporting only Korean, the malware has since expanded to include English [4], Japanese [4], and Chinese [4], although there is no evidence of targeting speakers of these languages [4].
In addition to call hijacking [3], the latest version of FakeCall includes features such as live streaming the device’s screen [3], taking screenshots [3], and unlocking the phone to disable auto-lock [3]. The malware can also monitor device screen state, further obscuring its malicious behavior. It utilizes the Android Accessibility Service to manipulate the user interface and capture sensitive data [2], while maintaining extensive control over compromised devices through a command-and-control (C2) server. This allows attackers to execute various malicious activities while making detection by users nearly impossible. The malware’s operations are concealed through extensive obfuscation [1], complicating detection efforts [1], and it monitors outgoing calls to relay data to the C2 server, enabling potential misuse of user information [1].
FakeCall utilizes the Monitoring Dialer Activity service to track events from the stock dialer app [5], enabling it to detect when users attempt to make calls using other applications [5]. It can also identify permission prompts from the system permission manager and system UI [5], automatically granting permissions to itself without user consent [5]. This sophisticated mobile attack tactic poses a significant threat to enterprises, as mobile devices are essential for business operations [8]. Compromising these devices can lead to catastrophic consequences [8]. Experts emphasize the importance of scrutinizing Android apps and acquiring them only from trusted sources to defend against such advanced attacks [8]. While downloading apps from the Google Play Store can reduce the risk of installing malicious software [6], it does not guarantee complete safety [6]. Users are advised to exercise caution when installing mobile apps [4], especially those related to financial institutions [4], and to enable Google Play Protect to scan for malicious applications [4]. Organizations are encouraged to equip employees with the skills to recognize and report mobile phishing attempts [8], highlighting the need for robust security measures in the face of evolving threats.
Conclusion
FakeCall represents a significant threat to both individual users and enterprises due to its ability to intercept calls and extract sensitive information. The malware’s evolution and obfuscation techniques make it increasingly difficult to detect and mitigate. To combat such threats [1], users should exercise caution when downloading apps, particularly those related to financial services, and ensure that security measures like Google Play Protect are enabled. Organizations must prioritize educating employees on recognizing phishing attempts and implementing robust security protocols to safeguard against these sophisticated attacks. As mobile threats continue to evolve, staying informed and vigilant is crucial to maintaining security.
References
[1] https://siliconangle.com/2024/10/30/zimperium-warns-sophisticated-vishing-tactics-new-fakecall-malware-variant/
[2] https://thenimblenerd.com/article/fakecall-malware-strikes-again-android-users-beware/
[3] https://www.tomsguide.com/computing/malware-adware/this-nasty-android-trojan-is-hijacking-calls-to-your-bank-and-sending-them-to-hackers-how-to-stay-safe
[4] https://arstechnica.com/information-technology/2024/10/android-trojan-that-intercepts-voice-calls-to-banks-just-got-more-stealthy/
[5] https://securityaffairs.com/170410/malware/fakecall-malware-intercepts-outgoing-bank-calls.html
[6] https://pcper.com/2024/10/new-fakecall-android-malware-redirects-bank-phone-calls-to-scammers-invisibly/
[7] https://www.infosecurity-magazine.com/news/updated-fakecall-malware-targets/
[8] https://www.darkreading.com/cyberattacks-data-breaches/vishing-mishing-fakecall-android-malware