Advanced Variant of FakeCall Malware Targets Mobile Users with Sophisticated Vishing Attacks

Mobile security company Zimperium’s zLabs team has uncovered an advanced variant of the FakeCall malware that employs “Vishing” (voice phishing) to deceive mobile users into sharing sensitive information, such as login credentials and banking details. This sophisticated malware campaign highlights an evolving threat landscape where malicious actors exploit mobile-specific features to conduct increasingly deceptive phishing attacks.

Vishing, a form of mobile-targeted phishing, uses fake phone calls or voice messages to trick victims into divulging private information. Zimperium says that Vishing is part of a broader category of mobile phishing, referred to as “Mishing,” which includes various attack methods that capitalize on mobile functionalities like SMS (Smishing), QR code phishing (Quishing), and email-based phishing designed for mobile devices.

FakeCall is a particularly advanced Vishing threat, using malware to intercept calls and control the mobile device. First reported by Kaspersky in 2022, the attack mimicked banking apps and permitted users to make calls through them. Bad actors would overlay the bank’s actual number on victims’ screens and then impersonate bank employees when the victim called the number, thereby obtaining users’ personal banking information.

How it Works

Zimperium’s new research revealed that the attack typically begins when users download a malicious APK file onto an Android device via a phishing attempt. This file installs the FakeCall malware, which then connects to a Command and Control (C2) server, allowing threat actors to remotely control the infected device.

The malware’s ability to intercept both incoming and outgoing calls means it can manipulate the user experience without detection. Victims could unknowingly call fraudulent numbers controlled by attackers who mimic legitimate services, such as a bank’s customer service line, to steal information.

This is because once FakeCall is set as the device’s default call handler, it gains control over all calls. The malware can intercept calls and modify dialed numbers to redirect victims to fraudulent lines. For example, when users try to call their bank, the malware redirects them to a fake interface displaying the bank’s real phone number, creating a convincing illusion of legitimacy. This allows attackers to capture sensitive information undetected.

The latest versions of FakeCall show a strategic evolution in its functionality, integrating complex elements that make detection even more challenging. The company’s zLabs team observed that some malicious code had been moved to native code, making it harder for conventional detection methods to identify.

Advanced Functionalities in the Latest FakeCall Variants

Zimperium’s research revealed several advanced features in this malware’s latest variants:

• Bluetooth Receiver: Monitors Bluetooth activity, potentially setting the stage for future malicious uses.
• Screen Receiver: Tracks screen activity, possibly as a placeholder for upcoming functionalities.
• Accessibility Service Integration: Through Android’s Accessibility Service, the malware gains considerable control, such as monitoring dialer activity and automatically granting permissions without user consent. This also enables remote attackers to control the device interface, simulating clicks and navigation to deceive victims further.

Fostering Competitive App Stores

Ted Miracco, CEO of Approov, says Google’s isolated approach to Android security has proven to be not good enough, insufficient, as seen by recurring threats like ‘FakeCall.’ 

“Dismantling Google’s monopolistic Play Store and fostering competitive app stores with open standards for security—including attestation and a transparent rating system—would empower consumers with clearer insight into app risks and access to safer, rigorously vetted applications,” he ends.