A new update of the FakeCall malware targeting Android devices now intercepts outgoing calls made to a user’s bank, redirecting them instead to the attacker’s number.
The primary aim of this latest version remains focused on stealing sensitive information and accessing money from users’ bank accounts.
Known as FakeCall or FakeCalls, this malware operates as a banking trojan that specializes in voice phishing, tricking victims through fake calls that impersonate banks and ask for sensitive details.
Kaspersky initially flagged the trojan in April 2022, noting that it used convincing call interfaces to create the impression that the user was genuinely connected to their bank.
In March 2023, CheckPoint reported that FakeCall had begun impersonating over 20 financial institutions, enticing users with offers of low-interest loans and using advanced evasion techniques to avoid detection.
Beyond vishing (voice phishing), FakeCall is capable of capturing live audio and video feeds from infected devices, enabling attackers to extract sensitive information without the user’s active participation.
Previous versions of FakeCall would encourage users to initiate calls to their bank from within the app itself, posing as a legitimate financial institution. A fake overlay would then display the bank’s actual phone number, all while connecting the victim to the attackers.
According to recent analysis by Zimperium, this updated version of FakeCall now configures itself as the default call handler, asking the user for permission to do so when the APK file is installed on Android devices.
The call handler in Android is responsible for managing both incoming and outgoing calls, essentially serving as the interface for dialing, connecting, and disconnecting calls.
Once granted default handler status, the malware gains access to intercept and control both incoming and outgoing calls.
To deceive users further, a fake call interface that replicates the actual Android dialer is used, displaying contact names and other trusted information, making it highly challenging for victims to notice the manipulation.
The danger of this malware is that when a user tries to contact their financial institution, it secretly intercepts the call, redirecting it to an attacker’s number.
“When the compromised individual attempts to contact their financial institution, the malware redirects the call to a fraudulent number controlled by the attacker,” the new Zimperium report explains.
“The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android’s call interface showing the real bank’s phone number.”
“The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s financial accounts.
Zimperium also found that recent FakeCall versions incorporate various new features and attack mechanisms, even as its code becomes more heavily obfuscated. Some of these new capabilities are still under development.
One notable update is the addition of a Bluetooth listener and a screen state monitor, though these features currently lack malicious functionality.
The malware now takes advantage of Android’s Accessibility Service, granting it significant control over the user interface. With this, it can monitor dialer activity, grant itself permissions, and simulate user actions like clicking and gestures.
A newly introduced phone listener service opens a communication line with the attacker’s command and control (C2) server, enabling them to issue commands for actions like locating the device, deleting apps, recording audio or video, and modifying contacts.
The latest variant introduces additional commands that include:
- Setting the malware as the default call handler.
- Starting a live stream of the device’s screen.
- Taking screenshots of the device’s display.
- Unlocking the device and disabling auto-lock temporarily.
- Using accessibility services to simulate a home button press.
- Deleting specific images specified by the C2 server.
- Accessing, compressing, and uploading images and thumbnails, especially targeting the DCIM folder for photos.
These updates indicate that FakeCall remains under active development, with its operators aiming to make it an even more evasive and powerful banking trojan.
Zimperium has released a list of indicators of compromise (IoCs), including app package names and APK checksums, to help users identify and avoid the apps carrying this malware. However, threat actors often change these indicators.
Users are advised to avoid manually installing Android apps through APK files and to instead rely on the Google Play Store. Although malware can still appear on Google’s platform, Google Play Protect can remove it when detected.
