Thursday, February 22, 2024

Letscall – New Sophisticated Voice over IP Phishing Attack Steal Banking Details

Vishing’s popularity has surged significantly in recent years, and this phenomenon is gradually destroying the trust factor in unknown calls from numbers that are unknown due to the rise in Voice over IP Phishing.

Commonly, calls from bank employees or salespeople occur, but what if a scammer dials instead? Recently, there has been a warning about a new and sophisticated type of phone scam called “Letscall,” where scammers trick people through voice communication.

The cybersecurity researcher at ThreatFabric discovered and released a warning about this emerging and advanced form of voice phishing (vishing).

Multi-stage Attack Chain

From a fake Google Play Store site, the operators of the “Letscall” trick the victims into downloading malicious apps by executing a multi-step attack. The victim fetches the initial stage of the malicious app chain from that page.

Here below, we have mentioned all the three stages it involves:-

  • The first stage involves the following things:-
  • Prepares the device.
  • All the necessary permissions are obtained.
  • Launches the phishing page.
  • Then from the control server, download and install the second-stage malware.
  • In the second stage through video or voice calls with the victim, a powerful spyware application enables the attacker to infect the targeted device by extracting data and enlisting the infected device in a P2P VOIP network for communication. App drops the third stage, connecting the victim to operators via Letscall’s WEBRTC. Maximum call quality ensured, NAT/firewall bypassed with STUN/TURN methods, including servers from Google STUN.
  • The third stage complements the second-stage malware, adding functionalities such as call redirection from the victim device to the call center that is under the control of the attacker.
Letscall Attack Chain

Vishing attacks have evolved, becoming technologically advanced. Fraudsters now employ modern voice traffic routing tech and automated victim calls with pre-recorded messages to use as lures.

As call operators who are skilled in voice social engineering attacks, the “Letscall” group comprises:-

  • Android developers
  • Designers
  • Frontend developers
  • Backend developers


Besides this, it’s still unknown how the attacker lures the victim to the decoy page, possibly with the help of two types of attack, and here they are mentioned below:-

  • Blackhat SEO technique
  • Social engineering

Moreover, cybersecurity analysts discovered Google Play-like pages that are primarily optimized for mobile screens, but interestingly, they’re in Korean.

Technically, the Downloaders that are employed are somewhat simple and specific apps, which occasionally utilize custom methods.

During the initial download, Letscall Tencent Legu and Bangcle (SecShell) obfuscation is incorporated by the malware. In ZIP directories, it uses complex naming, and then to evade the security systems, it corrupts the manifest in later stages.

Such attacks can lead to major consequences, loading victims with significant loan repayments. While these intrusions are underestimated by financial institutions in most cases.

At the moment, it’s limited to South Korea only, but security analysts warn that threat actors could easily expand to other regions like the European Union due to the lack of technical barriers.


Here below, we have mentioned the indicators of compromise:-

File sha256 hashes



Second stage


Third stage


“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.


Latest articles

Beware of New AsukaStealer Steal Browser Passwords & Desktop Screens

An updated version of the ObserverStealer known as AsukaStealer was observed to be advertised as...

US to Pay $15M for Info About Lockbit Ransomware Operator Data

In a significant move against cybercrime, the U.S. government has announced a bounty of...

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles