South Korea is currently facing a new threat of “FakeCalls malware of android known. It imitates phone calls from over 20 financial organizations in the country. The android malware FakeCalls primary aim is to trick bankers into giving away their credit card details. FakeCalls isn’t a new malware. Recent versions of the malware have surfaced with multiple evasion mechanisms not seen in previous samples. The malware’s developers have paid particular attention to protecting their malware using unique evasions. This have not been previously seen in the wild.

Installation of the FakeCalls malware

The first step of the FakeCalls attack is to install the malware on the victim’s device. It can be done via phishing, black SEO, or malvertising. The malware is distributed through fake banking apps that impersonate well-known financial institutions in Korea. Victims assume they are using a legitimate app from a trustworthy vendor. Once the app is installed, the attack begins by offering the target a loan with a low-interest rate. If the victim shows interest, the malware initiates a phone call. It plays a recording from the bank’s customer support with instructions on getting the loan request approved.

Vishing and stealing credit card details

However, the FakeCalls malware can mask the called number, which belongs to the attackers. Instead, it displays the impersonated bank’s real number, making the conversation appear realistic. At some point during the call, the victim is tricked into confirming their credit card details, which are supposedly required to receive the loan. The attackers then steal these details. In addition to vishing, FakeCalls can capture live audio and video streams from the compromised device, which could help the attackers collect additional information.

FakeCalls malware evasion techniques

The latest samples captured and analyzed by Check Point’s researchers reveal that FakeCalls incorporates three new techniques that help it evade detection. The first evasion mechanism is called ‘multi-disk,’ which involves manipulating the ZIP header data of the APK (Android package) file. It sets abnormally high values for the EOCD record to confuse automated analysis tools. The second evasion technique involves the manipulation of the AndroidManifest.xml file to make its starting marker indistinguishable. This manipulation modifies the strings and styles structure and tampers with the last string’s offset to cause incorrect interpretation.

Finally, the third evasion method is to add many files inside nested directories in the APK’s asset folder, resulting in file names and paths surpassing 300 characters. Check Point says this can cause problems for some security tools, causing them to fail to detect the malware.

Impact and cost of vishing

According to South Korean government statistics, vishing (voice phishing) has cost victims in the country $600 million in 2020 alone. There have been 170,000 reported victims between 2016 and 2020. Although the FakeCalls malware has been confined to South Korea, the malware could easily expand its operations to other regions if its developers or affiliates develop a new language kit and app overlay to target banks in different countries.

Impending threat of machine learning

Vishing has always been a dire problem. However, the rise of machine learning speech models that can generate natural speech and mimic real people’s voices with minimal training data input is poised to magnify the threat shortly. Vishing attacks have the potential to become even more sophisticated, making it harder to detect and defend against them.