Hello!
Researchers have found new versions of a sophisticated Android financial-fraud Trojan that’s notable for its ability to intercept calls a victim tries to place to customer-support personnel of their banks.
FakeCall first came to public attention in 2022, when researchers from security firm Kaspersky reported that the malicious app wasn’t your average banking Trojan. Besides containing the usual capabilities for stealing account credentials, FakeCall could reroute voice calls to numbers controlled by the attackers.
A strategic evolution
The malware, available on websites masquerading as Google Play, could also simulate incoming calls from bank employees. The intention of the novel feature was to provide reassurances to victims that nothing was amiss and to more effectively trick them into divulging account credentials by having the social-engineering come from a live human.
The interception was possible when victims followed instructions during installation to grant permission for the app to become the default call handler on the Android device. From then on, FakeCall could detect calls to a bank’s legitimate customer-support number and reroute them to an attacker-controlled number. To better hide the sleight-of-hand, the Trojan can display its own screen over the system's.
On Wednesday, a researcher at mobile security firm Zimperium reported finding 13 new variants of the malware. The continued development of the already-sophisticated Trojan indicates the attackers behind it continue to ramp up investment in it.
“The newly discovered variants of this malware are heavily obfuscated but remain consistent with the characteristics of earlier versions,” Zimperium malware researcher Fernando Ortega wrote. Ortega continued: “This suggested a strategic evolution—some malicious functionality had been partially migrated to native code, making detection more challenging.”
Much of the new obfuscation is the result of hiding malicious code in a dynamically decrypted and loaded .dex file of the apps. As a result, Zimperium initially believed the malicious apps they were analyzing were part of a previously unknown malware family. Then the researchers dumped the .dex file from an infected device’s memory and performed static analysis on it.
“As we delved deeper, a pattern emerged,” Ortega wrote. “The services, receivers, and activities closely resembled those from an older malware variant with the package name com.secure.assistant.” That package allowed the researchers to link it to the FakeCall Trojan.
The Kaspersky post from 2022 said that the only language supported by FakeCall was Korean and that the Trojan appeared to target several specific banks in South Korea. Last year, researchers from security firm ThreatFabric said the Trojan had begun supporting English, Japanese, and Chinese, although there were no indications people speaking those languages were actually targeted.
People should think long and hard about installing any mobile app, particularly for Android devices, which over the years have been a frequent target of Trojans promising one thing and delivering under the hood a host of malicious others. Apps that interface with financial institutions deserve more scrutiny still. Android users should also be sure to enable Play Protect, a service Google provides to scan devices for malicious apps, whether those apps were obtained from Play or from third parties, as the case is with FakeCall.
Thank you!
Join us on social networks!
See you!
