Skip to content

FakeCall malware leverages Vishing to hijack mobile calls

  • by
  • 4 min read

Illustration: JMiks | Shutterstock

A new and updated malware known as ‘FakeCall’ uses vishing, or voice phishing, to trick users into revealing sensitive information through fraudulent voice calls and messages. This malware allows threat actors to intercept important financial calls, including conversations with a bank’s customer support.

Originally discovered in 2022, this updated FakeCall variant now possesses a broader arsenal. It can commandeer nearly all aspects of Android devices, from calls to screen activity, posing a serious threat to mobile security.

FakeCall malware represents an advanced form of Vishing wherein attackers initiate fraudulent calls or messages to extract login details, credit card information, or other private data.

The FakeCall attacks begin with carefully orchestrated phishing schemes that trick users into downloading a seemingly benign APK file. Once on the device, this initial download acts as a dropper, installing the malware payload. This second malware stage communicates with a remote Command and Control (C2) server, allowing attackers to control the infected device remotely.

Researchers discovered that the new FakeCall variant is highly obfuscated, challenging detection and analysis. The malware utilises dynamically decrypted files loaded only at runtime, enabling it to sidestep many detection systems.

By comparing the code and behaviour with older malware samples, researchers identified several similarities with past mobile malware. They revealed that some functions have been partially shifted to native code, adding further layers of complexity for cybersecurity defences.

In addition to its core Vishing capabilities, FakeCall has evolved to incorporate sophisticated features. Key elements of this functionality include:

  • Bluetooth and screen receivers: The malware listens to Bluetooth status changes and monitors screen states. While no immediate malicious intent is apparent, these receivers could indicate potential avenues for future updates.
  • Accessibility Service manipulation: FakeCall harnesses the Android Accessibility Service to obtain unprecedented control over the user interface. Methods such as onAccessibilityEvent() and onCreate() can capture on-screen data and even manipulate user permission without consent, presenting serious privacy concerns.
  • Remote control: FakeCall grants attackers control over the device UI, enabling simulated user actions like clicks and gestures. This feature allows attackers to navigate the device and perform unauthorised actions on the victim’s behalf.
FakeCall attack methodology explained. | Source: Zimperium

Further analysis revealed a specialised Phone Listener Service that constantly communicated with the C2 server. This service allows attackers to execute specific commands, enabling comprehensive remote device management.

Some functions, including Bluetooth and screen state monitoring, have yet to display any malicious activity, leading experts to believe they may serve as placeholders for further capabilities.

The capabilities present a significant risk as they allow attackers to intercept, manipulate, and monitor calls without the victim’s knowledge. For instance, if a user attempts to call a financial institution, the malware can redirect the call to a fraudulent number, mimicking a legitimate interface.

Some notable commands that this variant of FakeCall include:

  • turnoff_bluetooth: To disable Bluetooth activity.
  • Remote_homekey: To control the home button for closing apps covertly.
  • Remote_click: To control taps on specific coordinates, allowing attackers to interact with apps.
  • Request_phone_call: To set the malware as the default dialer, enabling control over call functions.
  • Remote_start: To begin a screen recording session, allowing attackers to monitor all on-screen actions.
  • Remote_stop: To halt screen recording, ending the session.

“The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android call interface showing the real bank’s phone number. The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorised access to the victim’s financial accounts,” researchers said.

The attacker can then prompt the victim to provide sensitive details, such as banking credentials, furthering the potential for identity theft.

The new FakeCall variant’s potential for identity fraud and call hijacking poses a real threat to mobile users, especially those who rely on their devices for secure transactions. By setting itself as the default call handler, the malware effectively intercepts all call data, altering dialled numbers to route users to attackers’ fake contact centres, where sensitive information is gathered.

In the News: Chrome gets performance mode, tab hibernation, real-time alerts

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>