A banking malware for Android that researchers call “Fakecalls” comes with a powerful capability to take over calls to a bank’s customer service number and connect the victim directly with the malware’s threat actors.
Fakecalls disguises as a mobile app from a popular bank and displays all the marks of the bank it impersonates, including the official logo and the customer support number.
The malware breaks the connection when the victim tries to call the bank. It then shows its call screen, almost indistinguishable from one of the banks it impersonates.
The victims see the bank’s actual number on the screen; meanwhile, the connection is to the threat actors, posing as the bank’s customer service representatives. They do this to obtain details that would give them access to the victim’s funds.
Fakecalls mobile banking trojan can do this because it asks for several permissions that give it access to the contact list, camera, microphone, call handling, and geolocation at the point of installation.
The malware emerged last year and has since targeted users in South Korea, customers of popular banks like KakaoBank or Kookmin Bank (KB).
The malware has received little attention, although it’s been active for a while. This is probably due to its limited target geography.
After analyzing the malware, Kaspersky found that it can also play a pre-recorded message that mimics the ones used by banks to greet customers looking for support.
The malware developers recorded a few phrases commonly used by banks to let the customer know that an operator would take their call as soon as they were available.
Upon installation, the permissions requested by the malware allow the cybercriminals to spy on the victim by broadcasting in real-time audio and video from the device, copying files (contacts, files like photos and videos), seeing its location, and text message history.
Kaspersky recommends that users download apps only from official stores and pay attention to potentially dangerous permissions requested by the app to avoid falling victim to such malware.
Additionally, the researchers advise users not to share confidential information over the phone (login credentials, PIN, card security code, confirmation codes).