Imagine making a phone call to your bank but ending up speaking to a hacker on the other end of the line. That is precisely what the sophisticated Android malware FakeCall is now capable of doing, according to a report from Zimperium’s zLabs research team.
As Zimperium explains, FakeCall utilizes a technique called “vishing” (voice phishing). The goal is to trick victims into disclosing sensitive information such as credit card numbers and banking details through fake phone calls and voice messages.
“FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming and outgoing calls, the researchers explain. “Victims are tricked into calling fraudulent phone numbers controlled by the attacker and mimicking the normal user experience on the device.”
The first step is to deceive a victim into downloading an APK file through a phishing attack. The APK acts as a dropper, which installs the malicious payload onto the device. Once the payload is installed, the app will prompt the user to set it as the default phone application. This gives the app the ability to manage incoming and outgoing phone calls.
Here’s what can happen next, according to Zimperium’s researchers:
- Identity Fraud: By exploiting its position as the default call handler, the app can modify the dialed number, replacing it with a malicious one via the setResultData() method, deceiving users into making fraudulent calls.
- Hijack Calls: The malware can intercept and control incoming and outgoing calls, covertly making unauthorized connections. In this case, users may be unaware until they remove the app or restart their device.
With that in mind, if you attempt to call your bank or credit card issuer, the app will display the number you called while discretely rerouting the call in the background.
The FakeCall malware was previously reported by Kaspersky in 2022 and ThreatFabric in 2023. Zimperium has been tracking a new variant, which introduces even more advanced functionality, such as monitoring Bluetooth status and the screen’s state, capturing information displayed on the screen, and issuing commands on infected devices.
This Android malware is yet another reason why you should avoid downloading apps or APKs that aren’t available on the official Google Play store.
UPDATE | A Google spokesperson shared the following quote: “Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
