Researchers have uncovered an evolved version of the FakeCall malware targeting Android users. The updated variant has significantly advanced capabilities, including intercepting outgoing calls to banks and redirecting them to the attacker’s phone number. The tactic heightens the effectiveness of voice phishing (vishing) attacks, with the primary goal of stealing sensitive information and draining victims’ bank accounts.
FakeCall, also known as FakeCalls, is a sophisticated banking Trojan designed to exploit social engineering tactics through vishing, where attackers impersonate bank representatives to deceive victims into divulging confidential information. Initially detected in April 2022, early versions of FakeCall featured realistic call interfaces, mimicking legitimate banking conversations. The level of sophistication helped attackers convince users that they were engaging with their banks, enhancing the likelihood of data theft.
In March 2023, a report by CheckPoint highlighted FakeCall’s ability to impersonate over 20 financial institutions, offering “low-interest loans” as bait while implementing evasion techniques to evade detection. FakeCall’s interface imitated official banking applications, building a false sense of security among users and allowing attackers to efficiently capture sensitive information.
The latest version of FakeCall, incorporates multiple advanced capabilities aimed at increasing the effectiveness and stealth of the malware:
FakeCall sets itself as the default call handler upon installation, asking the user for approval via an Android APK installation prompt. Once set as the default handler, it gains control over outgoing and incoming calls.
Actors controlling the call interface use FakeCall intercepts calls made to genuine bank numbers and redirects them to attacker-controlled numbers, allowing attackers to pose as legitimate bank representatives in real time.
The controlled interface mimics the Android dial pad, displaying genuine-looking contact information, which makes it difficult for users to recognize any manipulation.
The malware employs a custom call screen interface that imitates legitimate Android call interfaces, displaying trusted contact names and information to deceive users further. The approach builds on previous versions that displayed fake call interfaces, but now with enhanced realism and interactivity.
Zimperium’s analysis indicates more robust code obfuscation techniques, making it harder for traditional antivirus tools to detect and analyze the malware.
The malware uses Android’s accessibility service to gain extensive permissions, allowing it to automatically approve necessary permissions without user awareness, giving it near-full control over the device’s user interface.
Bluetooth Listener and Screen Status Monitor
The functionalities, currently lacking overt malicious behavior, suggest the developers are testing additional capabilities for future versions. They could potentially enable new attack vectors, such as intercepting Bluetooth-connected devices or triggering specific actions based on screen activity.
The malware has integrated a communication channel with its Command-and-Control (C2) server, enabling remote commands to manipulate various device functions. Commands include actions like location tracking, uninstalling applications, recording audio/video, and modifying contacts.
Hijacking Live Streams and Media Capture
Beyond voice phishing, FakeCall can now hijack live audio and video streams from infected devices, allowing attackers to capture sensitive conversations or on-screen content without user interaction, further extending its data-theft capabilities.
The evolution of FakeCall demonstrates a concerted effort by its operators to enhance its functionality and remain undetected. The malware’s developers are continually improving its stealth, evidenced by new obfuscation techniques and modular capabilities under development. The inclusion of non-operational features, such as the Bluetooth listener, indicates ongoing development efforts aimed at transforming FakeCall into a multi-functional trojan capable of a broader range of attacks.
IOCs, such as app package names and APK checksums, have been documented and shared on GitHub to aid cybersecurity professionals in identifying FakeCall infections. The indicators are vital for integrating proactive defenses within Android ecosystems and financial institutions, enabling early detection and remediation.
FakeCall’s advanced impersonation capabilities and real-time call interception pose a significant threat to Android users, particularly those handling sensitive transactions through mobile banking. Financial institutions must be aware of this trojan’s evolution, as it could undermine user trust in mobile banking platforms. Raising user awareness about potential red flags and implementing enhanced multi-factor authentication can help mitigate risks.
The FakeCall trojan’s latest version represents a significant leap in mobile malware sophistication. Its ability to intercept and manipulate live banking calls, combined with its evolving stealth features, makes it a potent threat. Security professionals and Android users should remain vigilant, update defenses promptly, and monitor IOCs to detect and mitigate FakeCall’s impact. Financial institutions are advised to invest in enhanced fraud detection algorithms and provide clear guidance to customers regarding secure banking practices to counteract the dangers posed by this malware.
We See What Others Cannot