Android voice phishing (aka vishing) malware campaign known as fake call once again emerged to target South Korean users under the guise of over 20 popular financial apps.
“The FakeCalls malware functions like a Swiss Army knife, not only fulfilling its intended purpose but also exfiltrating personal data from the victim’s device,” said cybersecurity firm Check Point. I’m here.
FakeCalls was previously documented by Kaspersky in April 2022, describing the malware’s ability to mimic telephone conversations with bank customer support agents.
In an observed attack, users who installed a rogue banking app were tricked into calling financial institutions by offering fake low-interest loans.
A pre-recorded voice containing instructions from the actual bank will be played when the call is actually received. At the same time, the malware hides the phone number with the bank’s real number, giving the impression that you are talking to a real bank employee.
The ultimate goal of the campaign is to obtain the victim’s credit card information. The attackers claim they need this information in order to qualify for nonexistent loans.
Malicious apps also request intrusive permissions to collect sensitive data such as live audio and video streams from compromised devices and exfiltrate them to remote servers.
The latest FakeCalls sample further implements various techniques to stay under the radar. One way is to add a large number of files in nested directories to the APK’s assets folder, where the filename and path length exceed the 300 character limit.
“Malware developers paid special attention to the technical aspects of its creation and the implementation of several unique and effective anti-analysis techniques,” Checkpoint said. “In addition, they devised a mechanism to impersonate the command and control server behind the operation and resolve it.”
The attack is focused solely on South Korea, but cybersecurity firms warn that the same tactics could be reused to target other regions around the world.
Cyble has uncovered two Android banking Trojans called Nexus and GoatRAT that can collect valuable data and carry out financial fraud.
A rebranded version of SOVA, Nexus, also includes a ransomware module that encrypts stored files and can exploit Android’s accessibility services to extract seed phrases from cryptocurrency wallets.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
In contrast, GoatRAT is designed to target Brazilian banks, joining BrasDex, PixPirate, and others to send fraudulent transfers through the PIX payment platform and display fake overlay windows to hide its activity. To do.
This development is part of a trend of threat actors unleashing increasingly sophisticated banking malware to automate the entire process of fraudulent money transfers on infected devices.
Cybersecurity company Kaspersky said it detected 196,476 new mobile banking Trojans and 10,543 new mobile ransomware Trojans in 2022. China, Syria, Iran, Yemen and Iraq have emerged as the top countries attacked by mobile malware, including adware.
Spain, Saudi Arabia, Australia, Turkey, China, Switzerland, Japan, Colombia, Italy and India are the top countries affected by mobile financial threats.
Kaspersky researcher Tatyana Shishkova said, “Despite an overall decline in malware installers, the continued rise in mobile banking Trojans suggests that cybercriminals are making money. It clearly demonstrates its focus on profit.
