Mobile phones, 31.10.2024, 12:30 PM
A new version of Android malware FakeCall hijacks outgoing calls from users to their bank, and redirects them to the attacker’s phone number. The goal of the latest version of the famous malware remains the same – stealing sensitive data and people’s money from their bank accounts.
FakeCall (ili FakeCalls) is a banking trojan used in vishing (voice phishing) attacks, in which victims are tricked by calls during which the attackers impersonate bank employees, asking them to reveal sensitive information.
The Trojan was discovered by Kaspersky in April 2022. Even then, the malware was equipped with a call interface that looked so realistic that victims could easily believe they were talking to their bank.
A March 2023 report by CheckPoint warned that FakeCall was impersonating more than 20 banks at the time and that cybercriminals were offering low-interest loans. The then version also had new mechanisms that were in function of reducing the detection rate.
In earlier versions, FakeCall encouraged users to call the bank from within the app. The fake screen displayed the real bank number while the victim was linked to the fraudsters.
In the latest version, the malware sets itself as the default calling app, asking the user to approve this action after installing the app via Android APK. The application handles incoming and outgoing calls, serving as an interface that handles dialing, connecting and ending calls.
When the malware asks the user to set it as the default calling app, it gets permission to intercept and manipulate both outgoing and incoming calls.
The fake interface mimics a real Android dialer, displaying trusted contact information and names. That is why it is difficult for victims to notice the fraud.
What makes this malware so dangerous is that when a user tries to call their bank, the malware picks up the call and redirects it to the attacker’s phone number.
“The victim will be unaware of the manipulation, as the malware’s fake user interface will mimic the real banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s accounts,” said Zimperium researchers who discovered the new version of the malware.
The new version of FakeCall received several improvements and attack mechanisms, although some are still under development.
The malware now uses Android’s accessibility service to gain extensive control over the user interface, allowing it to monitor voter activity, automatically grant itself permissions, and simulate user actions such as clicks and gestures. The latest variant of the malware allows taking screenshots, live streaming content on the device’s screen, unlocking the device if it is locked and temporarily disabling the automatic lock, impersonating a press of the home button, deleting images, accessing and sending images from the device to the C2 server.
This shows that FakeCall is under development, and its operators are working to make it a very powerful banking trojan.
Zimperium has published a list of Indicators of Compromise (IoC), including the names of the apps where FakeCall was found so users can avoid them. However, cybercriminals often change them.
It is recommended that users avoid manually installing Android apps via APK and install them from Google Play. Although malware can also appear on Google Play, Google Play Protect can remove it when it’s detected.
Photo: Daniel Romero | Unsplash
Source: www.informacija.rs