The latest FakeCall malware version for Android intercepts outgoing bank calls, redirecting them to attackers to steal sensitive info and bank funds.
Zimperium researchers spotted a new version of the FakeCall malware for Android that hijacks outgoing victims’ calls and redirects them to the attacker’s phone number. The malware allows operators to steal bank users’ sensitive information and money from their bank accounts.
FakeCall is a banking trojan that uses voice phishing by impersonating banks in fraudulent calls to obtain sensitive information from victims. FakeCall could also access live audio and video streams from the infected devices.
The new version enhanced evasion and data stealing capabilities, the banking trojan mainly targeted users in South Korea.
Earlier FakeCall versions tricked users into calling scammers by showing a fake bank screen with the bank’s real number. In the latest version, FakeCall sets itself as the default call handler upon installation, controlling all outgoing calls.
Zimperium reported that victims are asked to approve the malicious app as the default call handler. FakeCall mimics the Android dialer, showing trusted contact info to deceive users, secretly hijacking calls to financial institutions and redirecting them to scammers.
“The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android’s call interface showing the real bank’s phone number.” reads the report published by Zimperium. “The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s financial accounts.”
FakeCall relies on the Monitoring Dialer Activity service to monitor events from the com.skt.prod.dialer package (the stock dialer app), potentially allowing it to detect when the user is attempting to make calls using apps other than the malware itself. The malicious code is also able detecting permission prompts from the com.google.android.permissioncontroller (system permission manager) and com.android.systemui (system UI). Upon detecting specific events (e.g., TYPE_WINDOW_STATE_CHANGED), it can automatically grant permissions for the malware, bypassing user consent. Finally, the malware could give remote attackers take full control of the victim’s device UI, allowing them to simulate user interactions, such as clicks, gestures, and navigation across apps. This capability enables the attacker to manipulate the device with precision.
“This receiver functions primarily as a listener, monitoring Bluetooth status and changes. Notably, there is no immediate evidence of malicious behavior in the source code, raising questions about whether it serves as a placeholder for future functionality.” continues the report.
Zimperium has published a list of indicators of compromise (IoC) for the new malware version.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, malware)