A new version of the FakeCall Android malware hijacks a user’s calls to their bank by redirecting them to the attacker’s phone number.

The aim of the latest version remains to steal people’s sensitive information and money from their bank accounts.

FakeCall (or FakeCalls) is a banking trojan with a focus on voice phishing, where victims are tricked into making fraudulent calls to their banks, asking them to hand over sensitive information.

Kaspersky the Trojan first reported in April 2022, featuring realistic-looking call interfaces to trick victims into thinking they’re on a call with their bank.

One March 2023 CheckPoint report warned that FakeCall was now impersonating more than 20 financial organizations, offering targets low-interest loans and introducing new evasion mechanisms to reduce detection rates.

In addition to vishing (voice phishing), FakeCall could also capture live audio and video streams from infected devices, allowing attackers to steal sensitive data without victim interaction.

Diversion of calls

In previous versions, FakeCall asked users to call the bank from within an app, impersonating the financial institution. A fake screen was then superimposed showing the real bank number while the victim was connected to the scammers.

In the latest version reviewed by Zimperium, the malicious app sets itself as the default call handler, asking the user to approve this action when installing the app via an Android APK.

The call manager in Android handles incoming and outgoing calls, essentially serving as the main interface that processes calls, connecting and ending calls.

When the malware prompts the user to set it as the default call handler, it gets permission to intercept and manipulate both incoming and outgoing calls.

A fake call interface mimics the real Android dialer, displaying contact information and trusted names, raising the level of deception to a point that is difficult for victims to pull off.

What makes this malware so dangerous is that when a user tries to call their financial institution, the malware secretly hijacks the call and redirects it to the attacker’s phone number.

“When the compromised individual attempts to contact their financial institution, the malware redirects the call to a fraudulent number controlled by the attacker,” the new Zimperium report explains.

“The malicious app will trick the user by displaying a convincing fake user interface that appears to be the legitimate Android call interface, showing the bank’s real phone number.”

“The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the real banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s financial accounts.

New features and improvements

Despite the harder code obfuscation, Zimperium also found that the latest FakeCall versions add several improvements and attack mechanisms, although some are still under development.

First, FakeCall added a Bluetooth listener and a screen status monitor, both without malicious functionality yet.

The malware now uses Android’s Accessibility Service to gain extensive control over the user interface, allowing it to monitor dialer activity, automatically grant permissions, and simulate user actions such as clicks and gestures.

A new wiretapping service establishes a communication channel with the attacker’s command and control (C2) server, allowing them to issue commands to perform various actions, such as obtaining the device’s location, deleting applications, recording audio or video and editing contacts.

New commands added to the latest version include:

• Configure the malware as the default call handler.
• Start streaming the content of your device’s screen.
• Take a screenshot of your device’s display.
• Unlock your device if it’s locked and temporarily disable auto-lock.
• Use accessibility services to mimic pressing the home button.
• Delete the images specified by the C2 server.
• Access, compress and upload images and thumbnails from storage, specifically targeting the DCIM folder for photos.

These additions show that FakeCall is under active development and its operators are working to make it a more elusive and formidable banking Trojan.

Zimperium has published a list of trade-off indicators (IoC), including app package names and APK checksums, so users can avoid malicious apps carrying malware. However, they are frequently modified by threat actors.

As always, users are advised to avoid manually installing Android apps via APKs and instead install them from Google Play. Although malware can still end up on Google’s service, when detected, it can be removed by Google Play Protect.