Sunday, June 16, 2024

Fake Calls Android Malware Attacking Android Users to Steal Banking Details

An Android Trojan dubbed “FakeCalls” was spotted by the Check Point Research team. This malware can pretend to be one of more than 20 financial applications and imitate phone conversations with the bank or financial service employees. This tactic is known as voice phishing.

The South Korean market was the target of the Swiss-army-knife-like capabilities of the FakeCalls malware, which may accomplish its main objective while also obtaining sensitive information from the victim’s device.

“We discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis techniques,” Check Point Research team.

“The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild.”

How Voice Phishing Works?

In the South Korean market, voice phishing assaults are not new. In 2020, voice phishing caused financial losses of almost 600 million USD, with 170,000 individuals falling prey to it between 2016 and 2020, according to a report posted on the website of the South Korean government.

Malware may be installed on the victim’s device as the first stage of the attack using phishing, black SEO, or malvertizing.

The FakeCalls malware is disseminated on fake banking apps that pose as significant Korean financial organizations, leading victims to believe they are using a genuine app from a reputable vendor.

The app offers the victim a loan with a low-interest rate to start the attack. After the victim shows interest, the malware places a call and plays a recording of the bank’s real customer service representative giving instructions on how to get the loan request accepted.

The malware can hide the attackers’ calling number, however, and display the actual number of the fake bank instead, making the discussion seem genuine.

The victim is eventually duped into providing their credit card information, which is later taken by the attackers and is purportedly necessary for getting the loan.

Principal scheme of the voice phishing attack

“When victims install the FakeCalls malware, they have no reason to suspect that some hidden catches are present in the “trustworthy” internet-banking application from a solid organization”, explains CheckPoint researchers.

Moreover, a pre-recorded audio clip that pretends to be bank instructions in place of a phone call with a malware operator can be played.

Anti-Analysis Techniques

FakeCalls incorporate three new strategies to assist it in avoiding detection. The first method, referred to as “multi-disk,” is altering the ZIP header data of the APK (Android package) file by putting abnormally high values for the EOCD record to trick automated analysis tools.

The second evasion method involves changing the AndroidManifest.xml file’s starting marker to be undetectable, altering the structure of the strings and styles, and tampering with the last string’s offset to lead to an inaccurate interpretation.

Wring last string offset in the array
Wrong last string offset in the array

The APK’s asset folder is used to add numerous files inside nested directories as the third evasion technique, resulting in file names and paths that are longer than 300 characters. According to experts, this may cause issues for some security tools, making it difficult for them to find the malware.

File in the APK asset folder
Files in the APK asset folder

Final Thoughts

Voice phishing is an issue that has cost victims in South Korea $600 million in 2020 alone, according to government statistics, and there have been 170,000 documented victims between 2016 and 2020.

Hence, researchers say the techniques and strategies utilized in this specific malware can be applied to various applications that target other global markets.

Network Security Checklist – Download Free E-Book

Related Read:


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles