An Android voice phishing (aka vishing) malware campaign known as Fake calls has once again reared its head to target South Korean users under the guise of more than 20 popular financial apps.
“FakeCalls malware has the functionality of a Swiss army knife that can not only accomplish its primary purpose, but also extract personal data from a victim’s device,” said cybersecurity firm Check Point.
FakeCalls was previously documented by Kaspersky in April 2022, describing the malware’s ability to mimic phone conversations with a bank customer service agent.
In observed attacks, users who install the rogue banking app are lured into calling a financial institution offering a fake low-interest loan.
At the point where the phone call actually takes place, a pre-recorded audio with the actual bank instructions is played. At the same time, the malware also hides the phone number with a real bank number to give the impression that a conversation is taking place with a real bank employee on the other end.
The ultimate goal of the campaign is to obtain the victim’s credit card information, which the threat actors claim is required to obtain a non-existent loan.
The malware also requests intrusion permissions to collect sensitive data, including live audio and video streams, from the compromised device, which is then exported to a remote server.
The latest FakeCalls designs further employ various techniques to stay under the radar. One method involves adding a large number of files inside nested directories in the APK’s assets folder, causing the filename and path length to break the 300-character limit.
“Malware developers have paid special attention to the technical aspects of their creation, and have employed several unique and effective anti-analysis techniques,” Check Point said. “In addition, they have developed mechanisms to covertly resolve the command and control servers behind the operations.”
While the attack exclusively focuses on South Korea, the cyber security firm warned that the same tactics could be adapted to target other regions of the world.
The findings also come as Cyble shines a light on two Android banking trojans, called Nexus and GoatRAT, that can collect valuable data and carry out financial fraud.
Nexus, a rebranded version of SOVA, also includes a ransomware module that encrypts saved files and can abuse Android access services to extract key phrases from cryptocurrency wallets.
Discover the hidden dangers of third-party SaaS applications
Are you aware of the risks associated with third-party applications accessing your company’s SaaS applications? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
SAVE YOUR SEATS!
GoatRAT, by contrast, is designed to target Brazilian banks and joins the likes of BrasDex and PixPirate to fake money transfers through the PIX payment platform while displaying a fake cloaking window to hide the activity.
The development is part of a growing trend where threat actors have launched increasingly sophisticated banking malware to automate the entire process of unauthorized money transfers via infected devices.
Cybersecurity firm Kaspersky reported that it detected 196,476 new mobile banking trojans and 10,543 new mobile ransomware trojans in 2022, with China, Syria, Iran, Yemen and Iraq emerging as the top countries for mobile malware, including adware.
Spain, Saudi Arabia, Australia, Turkey, China, Switzerland, Japan, Colombia, Italy and India lead the list of leading countries infected with mobile financial threats.
“Despite the decline in the number of overall malware installers, the continued growth of mobile banking trojans clearly shows that cybercriminals are focusing on financial gain,” said Kaspersky researcher Tatyana Shishkova.