Fake Calls Android Malware Attacking Android Users

An Android Trojan dubbed “FakeCalls” was spotted by the Check Point Research team. This malware can pretend to be one of more than 20 financial applications and imitate phone conversations with the bank or financial service employees. This tactic is known as voice phishing.

The South Korean market was the target of the Swiss-army-knife-like capabilities of the FakeCalls malware, which may accomplish its main objective while also obtaining sensitive information from the victim’s device.

“We discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis techniques,” Check Point Research team.

“The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild.”

How Voice Phishing Works?

In the South Korean market, voice phishing assaults are not new. In 2020, voice phishing caused financial losses of almost 600 million USD, with 170,000 individuals falling prey to it between 2016 and 2020, according to a report posted on the website of the South Korean government.

Malware may be installed on the victim’s device as the first stage of the attack using phishing, black SEO, or malvertizing.

The FakeCalls malware is disseminated on fake banking apps that pose as significant Korean financial organizations, leading victims to believe they are using a genuine app from a reputable vendor.

The app offers the victim a loan with a low-interest rate to start the attack. After the victim shows interest, the malware places a call and plays a recording of the bank’s real customer service representative giving instructions on how to get the loan request accepted.

The malware can hide the attackers’ calling number, however, and display the actual number of the fake bank instead, making the discussion seem genuine.

The victim is eventually duped into providing their credit card information, which is later taken by the attackers and is purportedly necessary for getting the loan.

Principal scheme of the voice phishing attack

“When victims install the FakeCalls malware, they have no reason to suspect that some hidden catches are present in the “trustworthy” internet-banking application from a solid organization”, explains CheckPoint researchers.

Moreover, a pre-recorded audio clip that pretends to be bank instructions in place of a phone call with a malware operator can be played.

Anti-Analysis Techniques

FakeCalls incorporate three new strategies to assist it in avoiding detection. The first method, referred to as “multi-disk,” is altering the ZIP header data of the APK (Android package) file by putting abnormally high values for the EOCD record to trick automated analysis tools.

The second evasion method involves changing the AndroidManifest.xml file’s starting marker to be undetectable, altering the structure of the strings and styles, and tampering with the last string’s offset to lead to an inaccurate interpretation.

Wring last string offset in the array
Wrong last string offset in the array

The APK’s asset folder is used to add numerous files inside nested directories as the third evasion technique, resulting in file names and paths that are longer than 300 characters. According to experts, this may cause issues for some security tools, making it difficult for them to find the malware.

File in the APK asset folder
Files in the APK asset folder

Final Thoughts

Voice phishing is an issue that has cost victims in South Korea $600 million in 2020 alone, according to government statistics, and there have been 170,000 documented victims between 2016 and 2020.

Hence, researchers say the techniques and strategies utilized in this specific malware can be applied to various applications that target other global markets.

Network Security Checklist – Download Free E-Book

Related Read:

Source: gbhackers.com