Thursday, March 30, 2023
HomeSECURITYFakeCalls malware can hide the scammer's phone number

FakeCalls malware can hide the scammer’s phone number


FakeCalls malware can hide the scammer’s phone number

Hackers use a recording of a conversation with a bank employee to steal credit card details of Koreans.

Check Point Researchers report that “FakeCalls” Android malware is spreading in South Korea, simulating phone calls to more than 20 financial institutions and trying to trick bankers into giving away their credit card details.

The experts found that the latest version of FakeCalls received several evasion mechanisms that were not present in previous samples. More than 2500 samples of FakeCalls were found that imitated financial institutions and implemented anti-analysis methods.

The first step of the attack is to install a malicious application on the victim’s device through phishing or malicious website ads.

FakeCalls is distributed in fake banking apps that impersonate major Korean financial institutions, making victims think they are using a legitimate app from a trusted vendor.

The attack begins with the application offering the victim a loan at a low interest rate. Once the victim shows interest, the malware initiates a phone call that plays a recording of the bank’s real customer support with instructions on how to approve the loan application.

However, FakeCalls masks the caller’s number, and instead displays the real number of the fake bank. During the conversation, the victim is asked to confirm his credit card details in order to receive a loan, which are then stolen by the attackers.

FakeCalls attack scheme

In addition to the process vishinga FakeCalls can capture audio and video streams from a compromised device, which can help hackers gather additional information.

In the analyzed samples, FakeCalls includes 3 new methods of avoiding detection:

  1. Multidisk– Manipulating the header data of the APK file, as well as setting abnormally high values ​​for the EOCD entry to confuse automated analysis tools;
  2. Manipulating the AndroidManifest.xml fileto make its start marker indistinguishable, change the structure of lines and styles, and change the offset of the last line to cause misinterpretation;
  3. Adding multiple files to subdirectories in the APK resource folder, causing filenames and paths to exceed 300 characters. According to Check Point, this can cause problems for some security tools, which can prevent them from detecting malware.

According to statistics government of South Korea, vishing cost victims in the country $600 million in 2020 alone. Although FakeCalls is concentrated in South Korea, malware can easily spread its activities to other regions if its developers or partners develop a new language pack and application overlay for targeted banks in different countries.

Source link


Please enter your comment!
Please enter your name here

Most Popular