What is FakeCall Malware?
FakeCall is a sophisticated Android malware family first identified in 2022. It uses social engineering techniques to deceive users and gain access to their banking information. Since its emergence, companies like Kaspersky, Check Point, and ThreatFabric have analyzed it, finding its primary victims among mobile users in South Korea. This new variant of FakeCall takes these techniques to the next level, granting attackers near-total control over the victim’s device.
Attack Mechanism
The new version of FakeCall is installed through applications disguised as “droppers” or download apps with names such as:
• com.qaz123789.serviceone
• com.securegroup.assistant
• plnfexcq.fehlwuggm.kyxvb
Once installed, the malicious application exploits the device’s accessibility APIs, granting itself permissions to perform unauthorized actions such as capturing screenshots, accessing SMS messages, contacts, and monitoring calls. Additionally, FakeCall prompts users to set it as the default dialer app, allowing it to intercept incoming and outgoing calls and redirect users to fraudulent numbers controlled by attackers.
Advanced Espionage Features
Beyond call interception and redirection, FakeCall includes advanced espionage tools, such as:
• Capturing SMS messages, contact lists, location data, and installed applications.
• Recording audio and video in real-time from both of the device’s cameras.
• Controlling Bluetooth status and screen activity.
• Simulating a fake interface that mimics the appearance of Android’s native calling app, tricking users into believing they are contacting their bank while the number has been altered to one controlled by the attacker.
Call Redirection and Banking Fraud
Unlike previous versions, which merely requested users to make calls through the app, the new variant intercepts victims’ calls to financial institutions. When a user tries to contact their bank, the call is redirected to a fraudulent number that mimics the bank’s real interface. The attackers aim to extract sensitive data or perform fraudulent transactions through direct interaction.
Security Implications and Countermeasures
This new approach highlights how cybercriminals are evolving to circumvent security measures. The rise in vishing and mobile phishing attacks is a response to enhanced security efforts, such as caller ID apps that flag suspicious numbers. Google has also introduced a new security initiative in countries like Singapore, Thailand, Brazil, and India, restricting the installation of suspicious apps that request accessibility permissions—a change that could curb the spread of FakeCall and similar malware.
Security Recommendations
To protect against threats like FakeCall, experts recommend:
1. Avoid installing apps from unofficial sources: Limit installations to the official Google Play Store.
2. Review app permissions: Be cautious of apps requesting accessibility permissions without a clear reason.
3. Monitor call and banking activity: Immediately contact your financial institution if you notice suspicious activity.
4. Keep your operating system updated: Google and other developers release security patches to protect against emerging threats.
This malware case underscores the importance of staying vigilant against new mobile threat variants designed to bypass conventional security measures. It serves as a warning for organizations and users to be increasingly cautious in the face of ever-evolving fraud attempts.