New Android Malware Exploits Calls to Steal Banking Information

Cybersecurity experts recently identified an updated version of the FakeCall malware, a notorious Android threat, that now uses voice phishing—or “vishing”—to deceive users into revealing sensitive information.

This advanced malware employs sophisticated methods to gain almost full control over an infected device, including the ability to intercept and manipulate calls, allowing attackers to pose as trusted banking representatives.

One cybersecurity researcher noted that victims are often persuaded to place calls to fraudulent numbers controlled by the attackers, who mimic a legitimate calling experience.

Once in control, the malware can imitate a real bank’s interface on the user’s device, making it extremely difficult for the victim to realize they’re interacting with a malicious entity rather than a legitimate institution.

Since its debut in April 2022, FakeCall (also known as FakeCalls and Letscall) has been widely analyzed and found to specifically target mobile users in South Korea. This Android malware exploits accessibility service APIs, allowing it to access and control on-screen content, granting it expanded permissions that support its malicious activities.

Beyond call manipulation, it can capture SMS messages, contact lists, and location data, and it has the capability to record audio and video, monitor Bluetooth and screen activity, add or delete contacts, and even upload images.

One of FakeCall’s most dangerous features is its ability to set itself as the device’s default dialer, which gives it access to all outgoing and incoming calls.

It can intercept or reroute calls meant for a bank or financial institution to fraudulent numbers controlled by the attackers, and victims are often completely unaware as the malware’s UI convincingly mimics legitimate interfaces, down to displaying the real phone number of a financial institution.

In earlier versions, FakeCall would prompt users to place calls to supposed banks directly through the malicious app, offering bogus loan deals with lower interest rates to entice victims.

But recent iterations have taken it a step further, allowing attackers to redirect users who attempt to call their financial institution to a fraudulent line. The malware then displays a deceptive user interface that mirrors the real bank’s UI, which tricks users into divulging sensitive information or authorizing unintended financial transactions.

This resurgence of highly advanced mobile phishing, or “mishing,” highlights attackers’ adaptation to rising security standards and the increased use of caller ID applications, which are designed to flag suspicious numbers and alert users.

In response to these threats, Google has been trialing a security measure that automatically blocks the installation of untrusted Android apps, particularly those requesting accessibility services, in select regions like Singapore, Thailand, Brazil, and India.

To safeguard against threats like FakeCall, users should only install apps from trusted sources, such as the Google Play Store, and be cautious about granting accessibility permissions to apps.

Regularly updating device software, using security applications to scan for potential threats, and enabling caller identification tools are also effective defenses.