FakeCall Vishing Malware
Cybersecurity researchers have uncovered a new variant of the well-known Android threat family, FakeCall, which uses voice phishing, or 'vishing,' techniques to deceive users into disclosing their personal information.
This advanced vishing attack relies on malware that can gain extensive control over an infected mobile device, even intercepting both incoming and outgoing calls. Victims are led to believe they are engaging in legitimate calls. Instead, they are connected to fraudulent numbers managed by the attacker, all while experiencing a familiar interface on their device.
Also tracked as FakeCalls and Letscall, FakeCall has been studied extensively by information security researchers since its appearance in April 2022, with earlier attack waves predominantly targeting mobile users in South Korea.
Table of Contents
FakeCall Harvests Information from Victims’ Screens
The following package names are associated with dropper applications that distribute the malware:
- com.qaz123789.serviceone
- com.sbbqcfnvd.skgkkvba
- com.securegroup.assistant
- com.seplatmsm.skfplzbh
- eugmx.xjrhry.eroreqxo
- gqcvctl.msthh.swxgkyv
- ouyudz.wqrecg.blxal
- plnfexcq.fehlwuggm.kyxvb
- Xkeqoi.iochvm.vmyab
Like other Android banking threats, FakeCall misuses accessibility services APIs to gain device control and carry out malicious activities. It exploits these APIs to capture on-screen information and grant itself additional permissions as needed.
The malware's espionage capabilities are extensive, enabling it to gather data such as SMS messages, contacts, locations and installed applications. It can also take pictures, record live streams from both front and rear cameras, add and remove contacts, capture audio snippets, upload images and simulate a live video feed of device actions using the MediaProjection API.
The Devious New Tactics Displayed by the FakeCall Malware
The newly uncovered versions of the malware have been enhanced to monitor both Bluetooth status and screen activity on the device. However, what significantly heightens the threat is its tactic of prompting the user to set the application as the default dialer, enabling it to track and manipulate all incoming and outgoing calls.
This access allows FakeCall not only to intercept calls but also to alter dialed numbers. For instance, calls intended for a bank can be redirected to rogue numbers under the attacker's control, deceiving victims into taking unintended actions.
Earlier versions of FakeCall would prompt users to initiate calls to their bank through the application itself, often posing as various financial institutions and presenting fake loan offers with attractive interest rates. When a compromised user attempts to call their bank, the malware reroutes the call to a fraudulent number controlled by the attacker.
The threatening application deceives users with a convincing fake interface that resembles the Android call screen, displaying the real bank's phone number. This mimicked interface makes the user unaware of the manipulation, allowing attackers to gather sensitive information or gain unauthorized access to the victim's financial accounts.
Hackers Continue to Look for Ways to Bypass Security Features
The rise of advanced mobile phishing (mishing) techniques underscores a reaction to enhanced security measures and the widespread adoption of caller identification apps, which are designed to identify suspicious numbers and alert users to potential spam.
Recently, Google has been testing a security initiative that automatically prevents the sideloading of potentially harmful Android apps, including those that request accessibility services, in countries such as Singapore, Thailand, Brazil and India.