'FakeCalls' Mobile Malware

Cybersecurity researchers are warning users and business organizations alike about a mobile malware threat tracked as 'FakeCalls' Android Trojan. This malicious software has the ability to mimic over 20 different financial applications, making it difficult to detect. Additionally, FakeCalls can also simulate phone conversations with bank employees, which is known as voice phishing or vishing.

Vishing is a type of social engineering attack that is conducted over the phone. It involves using psychology to manipulate victims into providing sensitive information or performing actions on behalf of the attacker. The term 'vishing' is a combination of the words 'voice' and 'phishing.'

FakeCalls is specifically targeted toward the South Korean market and is highly versatile. It not only fulfills its primary function but also has the ability to extract private data from victims. This Trojan is comparable to a Swiss Army knife due to its multi-purpose functionality. Details about the threat were released in a report by the infosec experts at Check Point Research.

Vishing Is A Dangerous Cybercriminal Tactic

Voice phishing, also known as vishing, is a type of social engineering scheme that aims to deceive victims into believing that they are communicating with a legitimate bank employee. This is achieved by creating a fake internet banking or payment system application that mimics a real financial institution. The attackers then offer the victim a fake loan with a lower interest rate, which the victim may be tempted to accept due to the perceived legitimacy of the application.

The attackers use this opportunity to gain the victim's trust and obtain their credit card details. They do this by replacing the phone number belonging to the malware operators with a legitimate bank number during the conversation. This gives the impression that the conversation is with a real bank and its employee. Once the victim's trust is established, they are tricked into 'confirming' their credit card details as part of the process for qualifying for the fake loan.

The FakeCalls Android Trojan can masquerade as over 20 different financial applications and simulate phone conversations with bank employees. The list of organizations that were mimicked includes banks, insurance companies, and online shopping services. Victims are unaware that the malware contains hidden 'features' when they install the "trustworthy" internet-banking application from a solid organization.

FakeCalls Malware Is Equipped with Unique Anti-Detection Techniques

More than 2500 samples of the FakeCalls malware have been discovered by Check Point Research. These samples vary in the combination of mimicked financial organizations and implemented evasion techniques. The malware developers have taken extra precautions to protect their creation by implementing several unique evasion techniques that had not been seen before.

In addition to its other capabilities, the FakeCalls malware can capture live audio and video streams from the infected device's camera and send them to the Command-and-Control (C&C) servers with the help of an open-source library. The malware can also receive a command from the C&C server to switch the camera during live streaming.

To keep their real C&C servers hidden, the malware developers have implemented several methods. One of these methods involves reading data through dead drop resolvers in Google Drive or using an arbitrary web server. Dead drop resolver is a technique in which malicious content is stored on legitimate web services. The malicious domains and IP addresses are hidden to disguise communication with real C&C servers. Over 100 unique IP addresses have been identified through the processing of data from dead drop resolvers. Another variant involves the malware having hardcoded an encrypted link to a specific resolver that contains a document with an encrypted server configuration.