"FakeCalls" Android Malware Targets Financial Firms in South Korea

Written by

A new Android vishing (voice phishing) malware tool has been spotted targeting victims in South Korea by impersonating 20 leading financial institutions in the region.

Dubbed “FakeCalls” by the Check Point Research (CPR) team, the malware baits victims with fake loans, requesting them to confirm their credit card numbers, which are then stolen.

“FakeCalls malware possesses the functionality of a Swiss army knife, able not only to conduct its primary aim but also to extract private data from the victim’s device,” said CPR cybersecurity researcher Alexander Chailytko.

In a report published by CPR on Tuesday, the company confirmed it discovered over 2500 samples of the FakeCalls malware in a combination of mimicked financial organizations and implemented evasion techniques.

Further, the team said the malware developers made extra efforts to protect their malware from antivirus programs, implementing several unique evasion techniques not previously observed by CPR in the wild.

“The malware developers took special care with the technical aspects of their creation as well as implementing several unique and effective anti-analysis techniques,” Chailytko explained. “In addition, they devised mechanisms for disguised resolution of the command-and-control servers behind the operations.”

The security expert also warned that the techniques used by FakeCalls could be reused in other applications targeting other markets around the world.

Read more on vishing here: Hybrid Vishing Attacks Soar 625% in Q2

“I strongly recommend Android users in South Korea not to provide any personal information over the phone and be suspicious of phone calls from unknown numbers,” Chailytko concluded.

To protect against similar vishing attacks, the CPR report includes several additional security recommendations. 

These include being on the lookout for unusual pauses or delays before a person speaks and asking callers to verify or relay critical facts, such as website URLs or job titles. It also advises users not to respond to automated messages as this could allow cybercriminals to record their voices, which could potentially be used for authentication in other attacks.

The CPR findings confirm previous claims from Proofpoint, who said in December last year vishing would be among the threat vectors being increasingly used in 2023.

What’s hot on Infosecurity Magazine?