The FakeCall Android banking trojan has been enhanced with new functionality and improved evasion.
The sophisticated vishing malware known as FakeCall (aka Fakecalls) has become more sophisticated. New research shows an increase in evasion and espionage capabilities for an Android malware that has been known and classified as a banking trojan largely targeting South Korea.
An attack begins through traditional phishing, persuading the target to download an APK file which acts as a dropper for the FakeCall malware. Mika Aalto, co-founder and CEO at Hoxhunt, separately told SecurityWeek, “Research performed by ourselves and others has found that people are somewhere between 2 to 8 times more likely to fall for a phishing attack on mobile than via desktop.”
If successfully installed, the FakeCall malware communicates with a C2 server, letting it execute various commands that deceive the victim. Historically, the primary purpose of FakeCall has been to intercept calls by the user (such as with a bank) and deliver a believable voice response asking for credential details. This primary functionality and methodology continues.
However, a recent sample found and analyzed by Zimperium’s zLabs researchers shows a discrepancy between the activities listed in the app’s manifest and those found in the decompiled code. The malware is now using a more complex architecture, with the ‘missing’ code contained in a dynamically decrypted and loaded .dex file – the researchers had to use an open source tool to dump the .dex file before they could analyze the code it contained.
“This suggested a strategic evolution – some malicious functionality had been partially migrated to native code, making detection more challenging,” note the researchers in their analysis. This evolution seems to be continuing. Two receivers, a Bluetooth Receiver monitoring Bluetooth status and changes, and a Screen Receiver simply monitoring the screen state (on or off) “appear to be still under development”.
Another new element is described as Accessibility Service. The researchers didn’t gain full visibility into these functions, but believe they allow the malware to detect attempted user calls made by apps other than the malware itself; the ability to grant permissions without specific user consent; and remote control of the device UI, allowing precise device manipulation.
The malware’s phone listener service – the basic conduit between the malware and the C2 server – has also been enhanced. Some functionalities have been moved to native code, while new functionalities have been added. New commands include the ability to disable Bluetooth; to retrieve a list of thumbnails from the DCIM directory; to compress and upload that list; to upload a full image; to delete a specified image; to simulate pressing the home button; the ability to unlock the screen; to mimic a tapped click at specific coordinates; to set the malware as the default dialer; initiate or halt a video stream of the screen contents; and capture a screenshot of the device’s display.
The primary purpose of FakeCall seems to be unchanged: it is a banking trojan. “When the compromised individual attempts to contact their financial institution, the malware redirects the call to a fraudulent number controlled by the attacker,” report the researchers. “The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android’s call interface showing the real bank’s phone number. The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s financial accounts.”
However, while the Zimperium research mentions neither specific targets, expanded purposes, nor potential attribution, the malware has clearly become more evasive with greater functionality. The conclusion of other researchers examining earlier variants (including Kaspersky, ThreatFabric, and Check Point) remains primary: this is an unattributed Android banking trojan targeting the South Korean market.
Nevertheless, Callie Guenther, senior manager of cyber threat research at Critical Start, told SecurityWeek, “The techniques used, such as native API utilization, advanced obfuscation, and remote surveillance, resemble TTPs seen in state-sponsored campaigns. Although not definitively attributed, these capabilities align with those observed in APT groups focused on espionage and high-value financial targeting.”
She continues, “FakeCall poses a substantial threat not just to individuals but also to enterprises and government sectors. By hijacking the user interface and controlling communications, the malware creates a ‘man-in-the-device’ scenario with extensive access to data and communications, which is particularly dangerous for organizations without strong mobile threat protection.”
Jason Soroko, senior fellow at Sectigo, adds, “The attackers using this malware have also been known to use signing keys to further enable the malware to slip past defenses. By seamlessly mimicking legitimate interfaces, it renders detection by users nearly impossible.”
The Zimperium report provides a map of the malware tactics to MITRE’s ATT&CK Techniques, and a link to the list of known IOCs.
Related: Android 15 Rolling Out With New Theft, Application Protection Features
Related: Android’s October 2024 Update Patches 26 Vulnerabilities
Related: New Phishing Technique Bypasses Security on iOS and Android to Steal Bank Credentials
Related: BingoMod Android RAT Wipes Devices After Stealing Money
