An Android voice phishing (aka vishing) malware campaign known as FakeCalls has reared its head once again to target South Korean users under the guise of over 20 popular financial apps.
“FakeCalls malware possesses the functionality of a Swiss army knife, able not only to conduct its primary aim but also to extract private data from the victim’s device,” cybersecurity firm Check Point said.
FakeCalls was previously documented by Kaspersky in April 2022, describing the malware’s capabilities to imitate phone conversations with a bank customer support agent.
In the observed attacks, users who install the rogue banking app are enticed into calling the financial institution by offering a fake low-interest loan.
At the point where the phone call actually happens, a pre-recorded audio with instructions from the real bank is played. At the same time, malware also conceals the phone number with the bank’s real number to give the impression that a conversation is happening with an actual bank employee on the other end.
The ultimate goal of the campaign to get the victim’s credit card information, which the threat actors claim is required to qualify for the non-existent loan.
The malicious app also requests for intrusive permissions so as to harvest sensitive data, including live audio and video streams, from the compromised device, which are then exfiltrated to a remote server.
The latest FakeCalls samples further implement various techniques to stay under the radar. One of the methods involves adding a large number of files inside nested directories to the APK’s asset folder, causing the length of the file name and path to breach the 300-character limit.
“The malware developers took special care with the technical aspects of their creation as well as implementing several unique and effective anti-analysis techniques,” Check Point said. “In addition, they devised mechanisms for disguised resolution of the command-and-control servers behind the operations.”
While the attack exclusively focuses on South Korea, the cybersecurity company has warned that the same tactics can be repurposed to target other regions across the world.
The findings also come as Cyble shed light on two Android banking trojans dubbed Nexus and GoatRAT that can harvest valuable data and carry out financial fraud.
Nexus, a rebranded version of SOVA, also incorporates a ransomware module that encrypts the stored files and can abuse Android’s accessibility services to extract seed phrases from cryptocurrency wallets.
In contrast, GoatRAT is designed to target Brazilian banks and joins the likes of BrasDex and PixPirate to commit fraudulent money transfer over the PIX payments platform while displaying a fake overlay window to hide the activity.
The development is part of a growing trend where threat actors have unleashed increasingly sophisticated banking malware to automate the whole process of unauthorized money transfers on infected devices.
Cybersecurity company Kaspersky said it detected 196,476 new mobile banking trojans and 10,543 new mobile ransomware trojans in 2022, with China, Syria, Iran, Yemen, and Iraq emerging as the top countries attacked by mobile malware, including adware.
Spain, Saudi Arabia, Australia, Turkey, China, Switzerland, Japan, Colombia, Italy, and India lead the list of top countries infected by mobile financial threats.
“Despite the decline in overall malware installers, the continued growth of mobile banking Trojans is a clear indication that cybercriminals are focusing on financial gain,” Kaspersky researcher Tatyana Shishkova said.