Fake Calls Android Malware Attacking Android Users to Steal Banking Details

An Android Trojan dubbed “FakeCalls” was spotted by the Check Point Research team. This malware can pretend to be one of more than 20 financial applications and imitate phone conversations with the bank or financial service employees. This tactic is known as voice phishing.

The South Korean market was the target of the Swiss-army-knife-like capabilities of the FakeCalls malware, which may accomplish its main objective while also obtaining sensitive information from the victim’s device.

“We discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis techniques,” Check Point Research team.

“The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild.”

How Voice Phishing Works?

In the South Korean market, voice phishing assaults are not new. In 2020, voice phishing caused financial losses of almost 600 million USD, with 170,000 individuals falling prey to it between 2016 and 2020, according to a report posted on the website of the South Korean government.

Malware may be installed on the victim’s device as the first stage of the attack using phishing, black SEO, or malvertizing.

The FakeCalls malware is disseminated on fake banking apps that pose as significant Korean financial organizations, leading victims to believe they are using a genuine app from a reputable vendor.

The app offers the victim a loan with a low-interest rate to start the attack. After the victim shows interest, the malware places a call and plays a recording of the bank’s real customer service representative giving instructions on how to get the loan request accepted.

The malware can hide the attackers’ calling number, however, and display the actual number of the fake bank instead, making the discussion seem genuine.

The victim is eventually duped into providing their credit card information, which is later taken by the attackers and is purportedly necessary for getting the loan.

Principal scheme of the voice phishing attack

“When victims install the FakeCalls malware, they have no reason to suspect that some hidden catches are present in the “trustworthy” internet-banking application from a solid organization”, explains CheckPoint researchers.

Moreover, a pre-recorded audio clip that pretends to be bank instructions in place of a phone call with a malware operator can be played.

Anti-Analysis Techniques

FakeCalls incorporate three new strategies to assist it in avoiding detection. The first method, referred to as “multi-disk,” is altering the ZIP header data of the APK (Android package) file by putting abnormally high values for the EOCD record to trick automated analysis tools.

The second evasion method involves changing the AndroidManifest.xml file’s starting marker to be undetectable, altering the structure of the strings and styles, and tampering with the last string’s offset to lead to an inaccurate interpretation.

Wrong last string offset in the array

The APK’s asset folder is used to add numerous files inside nested directories as the third evasion technique, resulting in file names and paths that are longer than 300 characters. According to experts, this may cause issues for some security tools, making it difficult for them to find the malware.

Files in the APK asset folder

Final Thoughts

Voice phishing is an issue that has cost victims in South Korea $600 million in 2020 alone, according to government statistics, and there have been 170,000 documented victims between 2016 and 2020.

Hence, researchers say the techniques and strategies utilized in this specific malware can be applied to various applications that target other global markets.

Network Security Checklist – Download Free E-Book

Related Read:

Tags: Android
Guru baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing ZIP and RAR attachments to distribute…

45 mins ago

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data or compromised systems. Reselling gift cards…

58 mins ago

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining attacks in the cloud. Unlike on-premises…

60 mins ago

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented the Zero Trust security model.  It…

1 hour ago

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which involves interference in the functioning of…

1 hour ago

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits DNS queries and responses. This new…

2 hours ago