A new version of Android malware called FakeCalls, which imitates phone calls from over 20 financial institutions in South Korea, is being circulated once again.
This is not a new piece of malware, as Kaspersky reported on it a year ago, but researchers from Check Point have discovered newer versions that have implemented several new evasion mechanisms not seen in previous samples.
The malware is distributed on fake banking apps that impersonate legitimate financial institutions in South Korea.
Victims are tricked into installing the malware via phishing, black SEO, or malvertizing.
Once the malware is installed, it initiates a phone call that plays a recording from the bank’s customer support with instructions on getting a loan request approved.
The malware then tricks the victim into confirming their credit card details, supposedly required for receiving the loan, which are then stolen by the attackers.
In addition to the voice phishing process, FakeCalls can capture live audio and video streams from the compromised device, which could help the attackers collect additional information. In the latest samples captured by Check Point’s researchers, the malware incorporates three new techniques to evade detection.
The first mechanism is called ‘multi-disk,’ which involves manipulating the ZIP header data of the APK file, setting abnormally high values for the EOCD record to confuse automated analysis tools. The second evasion technique involves the manipulation of the AndroidManifest.xml file to make its starting marker indistinguishable, modify the strings.
Finally, the third evasion method is to add many files inside nested directories in the APK’s asset folder, resulting in file names and paths surpassing 300 characters.
South Korean government statistics show that vishing (voice phishing) cost victims in the country $600 million in 2020 alone, while there have been 170,000 reported victims between 2016 and 2020.
While FakeCalls has stayed in South Korea, the malware could easily expand its operations to other regions if its developers or affiliates develop a new language kit and app overlay to target banks in different countries.
With the rise of machine-learning speech models that can generate natural speech and mimic real persons’ voices with minimal training data input, vishing is poised to become an even greater threat shortly.