Monday, December 23, 2024
HomeAndroidFake Calls Android Malware Attacking Android Users to Steal Banking Details

Fake Calls Android Malware Attacking Android Users to Steal Banking Details

Published on

SIEM as a Service

An Android Trojan dubbed “FakeCalls” was spotted by the Check Point Research team. This malware can pretend to be one of more than 20 financial applications and imitate phone conversations with the bank or financial service employees. This tactic is known as voice phishing.

The South Korean market was the target of the Swiss-army-knife-like capabilities of the FakeCalls malware, which may accomplish its main objective while also obtaining sensitive information from the victim’s device.

“We discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis techniques,” Check Point Research team.

- Advertisement - SIEM as a Service

“The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild.”

How Voice Phishing Works?

In the South Korean market, voice phishing assaults are not new. In 2020, voice phishing caused financial losses of almost 600 million USD, with 170,000 individuals falling prey to it between 2016 and 2020, according to a report posted on the website of the South Korean government.

Malware may be installed on the victim’s device as the first stage of the attack using phishing, black SEO, or malvertizing.

The FakeCalls malware is disseminated on fake banking apps that pose as significant Korean financial organizations, leading victims to believe they are using a genuine app from a reputable vendor.

The app offers the victim a loan with a low-interest rate to start the attack. After the victim shows interest, the malware places a call and plays a recording of the bank’s real customer service representative giving instructions on how to get the loan request accepted.

The malware can hide the attackers’ calling number, however, and display the actual number of the fake bank instead, making the discussion seem genuine.

The victim is eventually duped into providing their credit card information, which is later taken by the attackers and is purportedly necessary for getting the loan.

Principal scheme of the voice phishing attack

“When victims install the FakeCalls malware, they have no reason to suspect that some hidden catches are present in the “trustworthy” internet-banking application from a solid organization”, explains CheckPoint researchers.

Moreover, a pre-recorded audio clip that pretends to be bank instructions in place of a phone call with a malware operator can be played.

Anti-Analysis Techniques

FakeCalls incorporate three new strategies to assist it in avoiding detection. The first method, referred to as “multi-disk,” is altering the ZIP header data of the APK (Android package) file by putting abnormally high values for the EOCD record to trick automated analysis tools.

The second evasion method involves changing the AndroidManifest.xml file’s starting marker to be undetectable, altering the structure of the strings and styles, and tampering with the last string’s offset to lead to an inaccurate interpretation.

Wring last string offset in the array
Wrong last string offset in the array

The APK’s asset folder is used to add numerous files inside nested directories as the third evasion technique, resulting in file names and paths that are longer than 300 characters. According to experts, this may cause issues for some security tools, making it difficult for them to find the malware.

File in the APK asset folder
Files in the APK asset folder

Final Thoughts

Voice phishing is an issue that has cost victims in South Korea $600 million in 2020 alone, according to government statistics, and there have been 170,000 documented victims between 2016 and 2020.

Hence, researchers say the techniques and strategies utilized in this specific malware can be applied to various applications that target other global markets.

Network Security Checklist – Download Free E-Book

Related Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

17M Patient Records Stolen in Ransomware Attack on Three California Hospitals

A staggering 17 million patient records, containing sensitive personal and medical information, have been...

WhatsApp Wins NSO in Pegasus Spyware Hacking Lawsuit After 5 Years

After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO...

PentestGPT – A ChatGPT Powered Automated Penetration Testing Tool

GBHackers come across a new ChatGPT-powered Penetration testing Tool called "PentestGPT" that helps penetration...

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

17M Patient Records Stolen in Ransomware Attack on Three California Hospitals

A staggering 17 million patient records, containing sensitive personal and medical information, have been...

WhatsApp Wins NSO in Pegasus Spyware Hacking Lawsuit After 5 Years

After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO...

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...