Letscall Mobile Malware
A warning regarding the rise of a sophisticated form of voice phishing (vishing) called 'Letscall' has been issued by cybersecurity researchers. This particular technique is currently being exploited to target individuals residing in South Korea.
The perpetrators behind the Letscall scheme employ a series of intricate steps to trick their victims into downloading malicious applications from a fraudulent website that imitates the Google Play Store.
Once the threatening software successfully infiltrates the victim's device, it diverts incoming calls to a call center under the complete control of the criminals. To further deceive the victims, trained operators within the call center impersonate bank employees, thereby gaining their trust. Through these fraudulent interactions, unsuspecting individuals unknowingly divulge sensitive and confidential information to the cybercriminals.
Table of Contents
The Letscall Malware Utilizes Multiple Technologies to Reroute Voice Traffic
To streamline the transmission of voice traffic, Letscall incorporates advanced technologies like Voice over IP (VoIP) and WebRTC. Additionally, it leverages the Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) protocols, which include the utilization of Google STUN servers. These technologies enable the threat to facilitate high-quality phone and video calls while bypassing any restrictions imposed by Network Address Translation (NAT) and firewalls.
The Letscall group is suspected to be comprised of a team of skilled professionals with expertise in various areas. This includes Android developers, designers, frontend and backend developers, as well as call operators who specialize in voice social engineering attacks. Their combined skills and knowledge allow them to create, manage, and execute the sophisticated operations involved in the Letscall campaign.
A Complex Operation Chain and Significant Evasion Capabilities Observed in the Letscall Malware
The Letscall malware operates through a well-defined three-stage process. Firstly, a downloader app is deployed to the victim's device, which serves as a preparatory step for the installation of potent spyware. Next, the spyware then initiates the final stage, enabling the rerouting of incoming calls to the call center controlled by the attackers.
In the third stage, the malware carries out a distinct set of commands, including those executed through Web socket commands. Some of these commands revolve around manipulating the device's address book, such as creating and deleting contacts. Others involve the creation, modification, and removal of filters that determine which calls should be intercepted and which ones should be disregarded.
What distinguishes Letscall from other similar malware threats is its employment of advanced evasion techniques. The malware incorporates Tencent Legu and Bangcle (SecShell) obfuscation methods during the initial download phase. In subsequent stages, it employs intricate naming structures within ZIP file directories and intentionally corrupts the manifest file to obfuscate its intentions and confuse security systems, thus evading detection.
The criminals behind Letscall have also developed automated systems that initiate calls to their victims, playing pre-recorded messages to deceive them further. By combining the infection of mobile phones with vishing techniques, these fraudsters can request micro-loans in the victims' names while simultaneously alarming them about purported suspicious activities. Additionally, they redirect calls to their call centers, adding to the illusion of legitimacy and increasing the success rate of their fraudulent activities.
Victims of the Letscall Malware could Experience Hefty Finacial Losses
The repercussions of such attacks can be highly impactful, placing victims under the weight of substantial loans that they must repay. Unfortunately, financial institutions often underestimate the gravity of these invasions and neglect to investigate potential instances of fraud thoroughly.
While this particular threat is presently confined to South Korea, researchers warn that there are no technical barriers preventing these attackers from extending their reach to other regions, including the European Union. This potential for expansion highlights the adaptability and agility of cybercriminals in exploiting technology for malicious ends.
This emerging variant of vishing attacks serves as a stark reminder of the ever-evolving nature of criminal tactics and their adeptness at leveraging technology for nefarious purposes. The group responsible for developing the Letscall Malware exhibits a deep understanding of Android security and voice routing technologies, showcasing their sophisticated knowledge in these areas.
