A new iteration of a sophisticated malware that enables attackers to conduct advanced voice and mobile phishing attacks against Android users has emerged with enhanced capabilities to further manipulate compromised devices for illicit purposes.
Known as FakeCall, this malware has been under surveillance by various research groups since at least 2022. It operates by duping victims into dialing fraudulent phone numbers controlled by the attacker, then feigning a conversation with bank representatives or other entities to deceive and defraud the user.
Originally, FakeCall was designed to communicate with an attacker-controlled command-and-control (C2) server, allowing for a variety of deceptive actions aimed at manipulating the victim. Apart from enabling attackers to manage a victim’s phone calls, it also grants access to various Android device permissions for additional malicious endeavors.
Recently, researchers at Zimperium zLabs unearthed a fresh variant of FakeCall that introduces new functionalities, some of which are still in development, enhancing attackers’ ability to monitor device activity and exercise precise control over the compromised device. Their findings were disclosed in a blog post released today.
This updated variant showcases how cybercriminals are inventing innovative methods to seamlessly integrate with Android devices, thereby evading detection and persisting undetected on a user’s device. This evolution illustrates a critical need for advanced security solutions capable of identifying and thwarting this sophisticated threat.
In particular, one feature of the new variant integrates with Android’s Accessibility Service, offering attackers considerable control over the user interface and the capacity to capture on-screen information. This advancement illustrates how attackers can transcend basic device permissions to exploit a more intricate attack vector, enabling them to intercept calls, access sensitive data, and manipulate the user interface to a significant degree.
By replicating authentic interfaces, attackers are rendering user detection nearly impossible, necessitating the implementation of advanced security measures to counter this menace effectively.
Additionally, the latest features of FakeCall expand its spyware capabilities, setting it apart from other vishing and mishing attacks that typically involve one-time engagements. These new functionalities include a Bluetooth receiver that monitors Bluetooth status changes and a screen receiver that observes the device’s screen status.
FakeCall was initially identified by Kaspersky researchers in April 2022 as a banking Trojan with extended call interception capabilities to create fake customer-service scenarios for malicious intents. The malware’s spyware features encompass activating a device’s microphone to relay recordings to the attacker’s C2 server, broadcasting real-time audio and video, and pinpointing the device’s location.
Typically, a FakeCall attack is initiated when victims unknowingly install a malicious APK file, disguised as a legitimate app, onto an Android device via a phishing attack. This file acts as a conduit for FakeCall, prompting users to set it as the default call handler. Subsequently, attackers gain control over incoming and outgoing calls, utilizing a fabricated interface resembling the native Android dialer to execute malicious operations.
Apart from monitoring calls and transmitting data to attackers, FakeCall enables cybercriminals to engage in identity fraud by altering dialed numbers to deceive users into making fraudulent calls. By employing an adversary-in-the-middle approach, attackers can intercept calls, establish unauthorized connections with other users, and avoid detection until users eradicate the malware or restart their devices.
To shield against FakeCall attacks, users are advised to meticulously vet Android apps before installation and to obtain apps solely from reputable app stores. Given the prevalence of mobile devices in business operations, the compromise of a device through FakeCall could have severe repercussions for enterprises, making it imperative for organizations to educate their personnel on identifying and reporting mobile phishing attacks promptly.