FakeCalls Android malware returns with new ways to hide on phones

Android malware ‘FakeCalls’ is circulating again in South Korea, imitating phone calls from more than 20 financial organizations and attempting to trick bankers into revealing their credit card details.

The malware in particular is not new, as Kaspersky published a report about it a year ago. However, Check Point researchers now report that newer versions have implemented multiple evasion mechanisms not seen in previous samples.

“We discovered more than 2,500 samples of the FakeCalls malware that used a variety of combinations of impersonated financial organizations and implemented anti-analytics techniques,” the CheckPoint report reads.

“Malware developers paid special attention to protecting their malware, using several unique evasions that we hadn’t seen before in the wild.”

voice spoofing

The first step of the attack is the installation of malware on the victim’s device, which can happen through phishing, black SEO, or malvertising.

FakeCalls malware is distributed in fake banking apps that masquerade as large financial institutions in Korea, making victims think they are using a legitimate app from a trusted provider.

The attack begins when the app offers the target a loan at a low interest rate. Once the victim is interested, the malware initiates a phone call that plays a recording of the bank’s real customer service with instructions on how to get the loan application approved.

However, the malware can mask the called number, which belongs to the attackers, and instead displays the real number of the impersonated bank, making the conversation appear realistic.

At some point, the victim is tricked into confirming their credit card details, supposedly needed to receive the loan, which are then stolen by the attackers.

FakeCalls attack diagram
FakeCalls attack diagram (Control)

In addition to the vishing process, FakeCalls can capture live video and audio streams from the compromised device, which could help attackers gather additional information.

Code to start the live stream
Code to start live streaming (Control)

evade detection

In the latest samples captured and analyzed by CheckPoint researchers, FakeCalls incorporates three new techniques that help it evade detection.

The first mechanism is called “multi-disc”, which involves manipulating the data in the ZIP header of the APK (Android package) file, setting abnormally high values ​​for the EOCD registry to confuse automated analysis tools.

The second evasion technique involves manipulating the AndroidManifest.xml file to make its start marker indistinguishable, modifying the string structure and styles, and altering the last string offset to cause incorrect interpretation.

Squeeze last string offset into array
Compensation for the last bad string in the array (Control)

Finally, the third evasion method is to add many files inside directories nested in the APK’s assets folder, resulting in filenames and paths exceeding 300 characters. Check Point says this can cause problems for some security tools, causing them to miss the malware.

File in the APK assets folder
Files in the APK assets folder (Control)

an expensive problem

According to South Korean government statistics, vishing (voice phishing) is a problem that has cost victims in the country $600 million in 2020 alone, while 170,000 victims have been reported between 2016 and 2020.

While FakeCalls has stayed in South Korea, the malware could easily expand its operations to other regions if its developers or affiliates develop a new language kit and app overlay to target banks in different countries.

Vishing has always been a serious problem, but the rise of machine learning voice models that can generate natural speech and imitate the voices of real people with minimal input of training data is about to increase the threat soon. .

Source link

James D. Brown
James D. Brown
Articles: 9347