a devastating triple attack that will leave you defenseless, moneyless, and trustless

In recent years, voice telephone fraud or vishing enough pall, so few people are on it. Most subscribers perceive any call from an unknown number with caution, and in case of a hint of fraud, they hang up.

However, recently researchers from the company ThreatFabric discovered a new and highly advanced vishing operation called LetsCall. It is a ready-to-use platform and can be used by any attackers, as it is something like a fraudulent franchise that contains detailed instructions and all the necessary tools to commit malicious acts.

Authorization window for accessing the web panel let’s call

The criminals behind LetsCall use a three-step tactic to steal from their victims and make it impossible for them to get a refund.

The attack begins by downloading a malicious downloader application from a fake Google Play website. How exactly the attackers encourage the victim to go to this page, the researchers could not figure out. However, once installed, the bootloader requests all necessary permissions to launch the next stage of the attack.

Installing a downloader app from a phishing scam site

The second stage is the download of a powerful spy application, carried out in the background from the downloader application. The spy is able to redirect the user to phishing pages when trying to access certain banking resources, allows hackers to steal data from the victim’s device, as well as connect the infected device to the network P2P–VoIPused by attackers.

It is at this stage that hackers can intercept the victim’s credentials used to log into online banking services, thanks to a cybercriminal phishing page that mimics the design of a legitimate bank website.

At the third stage, another additional application is installed on the victim’s device, expanding the capabilities of the aforementioned spy. The application supports the function of making phone calls, as well as the ability to redirect outgoing calls from the victim’s device directly to the attackers’ call center.

The call interception stage has its own set of customizable commands. Some of them relate to address book manipulation, such as creating and deleting contacts in the phone book. Other commands pertain to creating, modifying, and deleting filters that determine which calls should be intercepted by the application and which should be ignored.

In addition, the third-stage malware also contains pre-recorded audio messages that mimic the distribution answering machine of banking services.

Pre-recorded audio messages in the malicious application of the third stage

Hello, this is Hana Bank. Press #1 to transfer money to Hana Bank, #2 to transfer money to another bank, and #3 for transaction details. To access other services, press #6,” says one of the audio messages stored right in the hackers’ app. After that, depending on the availability of operators, the victim can be connected to the scammers or dropped.

To ensure the routing of voice traffic in LetsCall, technologies such as VoIP and WebRTC. Attackers also use protocols STUN And TURNincluding servers Google STUNto provide high quality calls and bypass restrictions NAT And firewall.

As ThreatFabric researchers suggest, the LetsCall attacker group consists of Android developers, designers, front-end and back-end developers, and call center operators who specialize in voice-based social engineering attacks.

Complete attack chain let’s call

What sets LetsCall apart from other forms of voice phishing is the use of advanced evasion techniques. All three malicious apk-files installed during the operation use various obfuscation methods, to which the anti-virus programs installed on the victim’s device do not respond.

Combining the infection of smartphones with vishing techniques, fraudsters can steal funds from the cards of their victims and even issue microloans on them, which will have to be repaid despite the fact of fraud. Such financial institutions often underestimate the seriousness of such violations and almost never conduct the necessary investigations to resolve the issue in favor of the victim.

Currently, LetsCall is being used to attack people in South Korea, but experts have not found any technical restrictions for spreading the campaign to other countries. Since the attack toolkit is transferred in its entirety to the one who paid for access to it, local attackers will only have to adapt it for use in their country and find several “call center operators” for further processing of the victims.

This advanced and sophisticated form of vishing highlights the constant evolution of criminal tactics and the ability of attackers to use any technology for their own ends. The LetsCall team demonstrates sophisticated knowledge of Android security and voice routing technologies.

To avoid becoming a victim of such an attack, always install applications only from official stores, from well-known publishers, and check the application rating, user reviews and requested permissions before downloading.