Fake Calls Android Malware Attacking Android Users to Steal Banking Details

An Android Trojan dubbed “FakeCalls” was spotted by the Check Point Research team. This malware can pretend to be one of more than 20 financial applications and imitate phone conversations with the bank or financial service employees. This tactic is known as voice phishing.

The South Korean market was the target of the Swiss-army-knife-like capabilities of the FakeCalls malware, which may accomplish its main objective while also obtaining sensitive information from the victim’s device.

“We discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis techniques,” Check Point Research team.

“The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild.”

How Voice Phishing Works?

In the South Korean market, voice phishing assaults are not new. In 2020, voice phishing caused financial losses of almost 600 million USD, with 170,000 individuals falling prey to it between 2016 and 2020, according to a report posted on the website of the South Korean government.

Malware may be installed on the victim’s device as the first stage of the attack using phishing, black SEO, or malvertizing.

The FakeCalls malware is disseminated on fake banking apps that pose as significant Korean financial organizations, leading victims to believe they are using a genuine app from a reputable vendor.

The app offers the victim a loan with a low-interest rate to start the attack. After the victim shows interest, the malware places a call and plays a recording of the bank’s real customer service representative giving instructions on how to get the loan request accepted.

The malware can hide the attackers’ calling number, however, and display the actual number of the fake bank instead, making the discussion seem genuine.

The victim is eventually duped into providing their credit card information, which is later taken by the attackers and is purportedly necessary for getting the loan.

Principal scheme of the voice phishing attack

“When victims install the FakeCalls malware, they have no reason to suspect that some hidden catches are present in the “trustworthy” internet-banking application from a solid organization”, explains CheckPoint researchers.

Moreover, a pre-recorded audio clip that pretends to be bank instructions in place of a phone call with a malware operator can be played.

Anti-Analysis Techniques

FakeCalls incorporate three new strategies to assist it in avoiding detection. The first method, referred to as “multi-disk,” is altering the ZIP header data of the APK (Android package) file by putting abnormally high values for the EOCD record to trick automated analysis tools.

The second evasion method involves changing the AndroidManifest.xml file’s starting marker to be undetectable, altering the structure of the strings and styles, and tampering with the last string’s offset to lead to an inaccurate interpretation.

Wrong last string offset in the array

The APK’s asset folder is used to add numerous files inside nested directories as the third evasion technique, resulting in file names and paths that are longer than 300 characters. According to experts, this may cause issues for some security tools, making it difficult for them to find the malware.

Files in the APK asset folder

Final Thoughts

Voice phishing is an issue that has cost victims in South Korea $600 million in 2020 alone, according to government statistics, and there have been 170,000 documented victims between 2016 and 2020.

Hence, researchers say the techniques and strategies utilized in this specific malware can be applied to various applications that target other global markets.

Network Security Checklist – Download Free E-Book

Related Read:

Tags: Android
Guru baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting the growing, widespread use and potential…

5 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers, successful evaluations, and partnerships such…

6 hours ago

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and education. The latest update, Wireshark 4.2.4,…

9 hours ago

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered platform designed to redefine how we…

9 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information and grant unauthorized access. It's an…

10 hours ago

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the…

13 hours ago