A new report out today from mobile security platform provider Zimperium Inc. warns of a new, more advanced version of the FakeCall malware targeting Android devices that deploys “vishing’ — short for voice phishing — to deceive users into revealing sensitive data by simulating genuine user experiences during phone calls.

FakeCall malware first appeared in 2021, initially targeting South Korean users by mimicking local banking apps. The malware tricks users by imitating authentic interfaces, including real bank phone numbers and prerecorded voice prompts that make victims believe they are communicating with legitimate bank representatives.

The new version of FakeCall, revealed today, takes things further, with an enhanced ability to control infected devices by intercepting incoming and outgoing calls, collecting sensitive data and even gaining remote control over the device.

The advanced variant allows attackers to record audio, capture video and manipulate user interactions on the screen, all while evading detection through obfuscation and the use of native code.

The FakeCall vishing attack initiates when victims download a seemingly harmless Android Package Kit file onto their Android device, often through a phishing link. The APK functions as a dropper that is designed to install a secondary payload that contains the core malicious components. The primary objective of the payload is to give the malware control over the device for further exploitation.

Once installed, FakeCall connects to a command and control server to enable continuous communication between the attacker and the malware. The connection allows the attacker to execute various commands that manipulate the device and deceive the user. FakeCall’s operations are concealed through extensive obfuscation, making it difficult to identify the malware’s actions.

During analysis, the Zimperium zLabs research team found unusual discrepancies in the app’s AndroidManifest.xml file, hinting at missing code loaded through dynamic decryption. Using tools such as frida-dexdump, the research team extracted the hidden code to reveal that the malware shares functionalities with older variants, although some aspects have now shifted to native code to evade detection more effectively. The evolution, researchers said, mark a sophisticated adaptation of FakeCall’s deceptive capabilities.

The primary function of the FakeCall application is to monitor outgoing calls and relay this data to a C2 server to allow for potential misuse of user information. By operating as the default call handler, the malware can manipulate dialed numbers, redirecting calls to fraudulent contacts without the user’s awareness, which can lead to identity fraud.

Additionally, when a compromised user attempts to contact their bank, the malware intercepts the call and redirects it to an attacker-controlled number. The app’s fake interface mimics the legitimate Android call screen, displaying the bank’s number to mislead the user. The deception allows attackers to extract sensitive information and potentially access financial accounts.

“This sophisticated malware not only employs vishing techniques to deceive users, it also integrates into the Android system via the Accessibility Service, granting attackers near-total control to intercept calls, access sensitive data and manipulate the user interface,” Jason Soroko, senior fellow at certificate lifecycle management firm Sectigo Ltd., told SiliconANGLE via email. “The attackers using this malware have also known to use signing keys to further enable the malware to slip past defenses.”

By mimicking legitimate interfaces, he added, it renders detection by users “nearly impossible, highlighting a critical need for advanced security solutions capable of detecting this threat. This also highlights the need to avoid bypassing app stores and for anyone using Android please scrutinize the applications that you are downloading from anywhere.”

Image: SiliconANGLE/Ideogram