The Android malware “FakeCalls” is again in circulation in South Korea, impersonating calls from over 20 financial institutions in an effort to trick bankers into disclosing their credit card information. This particular malware is not new; Kaspersky reported on it a year ago. Researchers from Check Point claim that several escape strategies not present in earlier samples have been incorporated in recent versions.
“We discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis techniques,” reads CheckPoint’s report. “The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild.”
Malware may be installed on the victim’s device at the initial stage of the attack using phishing, black SEO, or malvertizing. The FakeCalls malware is disseminated via phony banking applications that pose as significant Korean financial organizations, leading users to believe they are using a genuine app from a reputable developer. The app offers the victim a loan with a low-interest rate to start the attack. When the victim expresses interest, the malware places a call and plays a recording of the bank’s actual customer service representative giving instructions on how to get the loan request accepted.
However, the malware may disguise the caller number, which is owned by the attackers, and show the actual number of the fictitious bank instead, making the discussion seem genuine. The victim is eventually duped into providing their credit card information, which is ostensibly necessary for getting the loan, and the attackers take that information. FakeCalls may record live audio and video feeds from the hacked smartphone in addition to the vishing technique, which might aid the attackers in gathering more data.
The most recent samples that CheckPoint’s researchers collected and examined show that FakeCalls uses three additional evasion methods. The first one, referred to as “multi-disk,” is altering the ZIP header data of the APK (Android package) file by putting erroneously high values for the EOCD record to trick automated analysis programs. The second evasion method involves altering the AndroidManifest.xml file to obscure its starting marker, changing the structure of the strings and styles, and fiddling with the offset of the last string to lead to erroneous interpretation. In the asset folder of the APK, several files are added inside nested folders as the third evasion technique, resulting in file names and locations longer than 300 characters. Check Point reveals that this may cause issues for some security programs, making it difficult for them to find the infection.
According to official statistics, Vishing (voice phishing) is an issue that has cost victims in South Korea $600 million in 2020 alone and there have been 170,000 documented victims between 2016 and 2020. FakeCalls has remained in South Korea, but if its creators or affiliates create a new language kit and app overlay to target banks in other nations, the malware may simply spread its activities to other locations. Vishing has long been a serious issue, but as machine-learning speech models proliferate that can produce authentic speech and replicate actual people’s voices with little to no training data input, the threat is soon going to get worse.
