A newly evolved form of malware called FakeCall, known for its advanced use of vishing (voice phishing), has been identified by cybersecurity researchers.
Uncovered by Zimperium’s zLabs team, this malware variant exploits voice calls, often posing as legitimate institutions, to deceive users into divulging sensitive information such as credit card details and banking credentials.
The FakeCall attack specifically targets mobile devices, taking advantage of unique mobile functions like voice and SMS capabilities. This malware strain is particularly concerning due to its sophisticated structure, which includes various malicious tools developed to control mobile device functions.
FakeCall operates by hijacking call functions on Android devices. The attack often begins when users download a seemingly benign APK file that acts as a dropper, which then installs the main malicious software.
Once installed, FakeCall can intercept and manipulate both outgoing and incoming calls, using a command-and-control (C2) server to issue commands and execute actions covertly on the device. The malware even impersonates a legitimate call interface, further deceiving users.
“The attackers using this malware have also been known to use signing keys to further enable the malware to slip past defenses,” added Jason Soroko, a senior fellow at Sectigo.
“By seamlessly mimicking legitimate interfaces, it renders detection by users nearly impossible, highlighting a critical need for advanced security solutions capable of detecting this threat. This also highlights the need to avoid bypassing app stores, and for anyone using Android please scrutinize the applications that you are downloading from anywhere.”
How FakeCall Exploits Mobile Phishing Tactics
FakeCall uses several phishing tactics tailored explicitly for mobile platforms:
-
Vishing (Voice Phishing): Uses fake calls to trick users into sharing confidential information
-
Smishing (SMS Phishing): Sends deceptive SMS messages to lure users into clicking malicious links
-
Quishing (QR Phishing): Exploits QR codes to deliver malware through mobile cameras
The latest versions of FakeCall incorporate enhanced features that add to its sophistication. Notably, new elements such as Bluetooth and screen receivers allow the malware to monitor device status without immediately displaying malicious behavior, suggesting these features may serve as placeholders for future capabilities.
Additionally, the malware leverages Android’s Accessibility Service, enabling remote control over the device UI, which allows attackers to simulate user actions and bypass security prompts without the user’s consent.
“This latest mobile attack tactic is concerning because it takes elements of what we believe is the future of phishing attacks, the adversary-in-the-middle approach, and leveraging command-and-control malware to hijack the user’s device,” explained Mika Aalto, co-founder and CEO at Hoxhunt.
“So much of our business and communications is performed by a mobile these days that this could be a crucial step in a catastrophic breach if attackers were to compromise the phone of someone who has the right level of access.”