<br>Android banking malware blocks calls to customer support

https://eligne.xyz/wp-content/uploads/2022/04/Android-banking-malware-blocks-calls-to-customer-support.jpg">

A banking trojan for Android, which researchers call Fakecalls, has the powerful ability to allow it to take over calls to a bank's customer support number and directly connect the victim to the cybercriminals running the malware.

Disguised as a popular bank's mobile app, Fakecalls displays all the markings of the legal entity it's impersonating, including its official logo and customer support number.

When the victim tries to call the bank, the malware disconnects and shows the call screen, which is almost indistinguishable from the real one.

Fakecalls mobile banking malware call interface (source: Kaspersky)

While the victim sees the real number of the bank on the screen, the link is linked to cybercriminals who can pretend to be the customer support representative of the bank and obtain details that will allow them to access the victim's funds.

The Fakecalls mobile banking trojan can do this because at the time of installation it requests several permissions giving access to the contact list, microphone, camera, geolocation and call management.

The malware emerged last year and appeared to target users in South Korea, customers of popular banks like KakaoBank or Kookmin Bank (KB), Kaspersky security researchers in a report today.

Despite being active for some time, the malware has received little attention, possibly due to its limited target geography, despite its fake call feature, which marks a new step in the development of mobile banking threats.

Direct line to threat actor

Kaspersky analyzed the malware and found that it can also play a pre-recorded message that mimics the messages banks use to greet customers seeking support:

Code in Fake Calls to play pre-recorded audio (source: Kaspersky)

The malware developers recorded several phrases commonly used by banks to inform the customer that an operator will answer the call when available.

Below are two examples of pre-recorded audio (in Korean) played by the Fakecalls malware to make the trick more realistic:

Hello. Thank you for calling KakaoBank. Our call center is currently receiving an unusually high volume of calls. A consultant will talk to you as soon as possible. <...> Your conversation will be recorded in order to increase the quality of the service.

Welcome to Kookmin Bank. Your conversation will be recorded. Now we will connect you to an operator.

Kaspersky researchers say the malware spoofs incoming calls, allowing cybercriminals to communicate with victims as if they were the bank's customer support service.

Complete espionage kit

The permissions requested by the malware during installation allow cybercriminals to spy on the victim, see its location, copy files (files such as contacts, photos and videos) and text message history by broadcasting real-time audio and video from the device.

“These permissions allow the malware not only to spy on the user, but also to control his device to a certain degree, giving the Trojan the ability to drop incoming calls and delete them from the history. This allows scammers to block genuine calls from banks, among other things. and allows it to hide” - Kaspersky

While it is observed that Fakecalls only supports Korean, which makes it easy to detect if the infected device is running with a different system language, the threat actor behind it may add more to spread to other regions.

Kaspersky's recommendations to avoid falling victim to this type of malware include only downloading apps from official stores and paying attention to the potentially dangerous permissions an app requests (access to calls, access to messages, accessibility), especially if the app doesn't need them.

In addition, researchers advise users not to share confidential information (login information, PIN, card security code, confirmation codes) over the phone.

from playing girls' or women's sports in public schools in colleges.

...