Actu
New Android Vishing Malware Impersonates Leading Financial Institutions to Target Victims in South Korea
March 2023 by Check Point Research (CPR)
Check Point Research (CPR) warns of new Android vishing malware targeting victims in South Korea. Named “FakeCalls”, the malware impersonates 20 of the leading financial institutions in the region, enticing its victims with fake loans. Victims confirm their credit card numbers and expose themselves to fraud. The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild. CPR releases a technical analysis of FakeCalls to help prevent the malware from being used in other regions.
• CPR discovered more than 2500 samples of the FakeCalls malware
• CPR outlines attacks scheme of FakeCalls
• CPR provides safety tips from vishing calls
Check Point Research (CPR) is warning of a new vishing malware designed to offer fake loans from leading financial institutions to people in South Korea. Named “FakeCalls”, the Android malware imitates e-banking apps to provide fake loan offers with low interest rates, in order to lure its victims into confirming their credit card numbers through fraudulent phone calls.
This type of attack is known as “vishing”, short-hand for voice phishing.
The Attack Scheme
The idea behind voice phishing is to trick the victim into thinking that there is a real bank employee on the other side of the call. When the conversation happens, the phone number belonging to the malware operators, unknown to the victim, is replaced by a real bank number.
Victims are then under the impression that the conversation is made with a real bank and its real employee. Once the trust is established, the victim is tricked into “confirming” the credit card details in the hope of qualifying for the (fake) loan.
Figure 1. Attack scheme:
Evasion Techniques
The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild. CPR saw several ways for how the malware developers tried to keep their real Command-and-Control (C&C) servers hidden: reading the data via dead drop resolvers in Google Drive or using an arbitrary Web server. All in all, CPR discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis techniques.
Quote: Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software:
“We’ve spotted new voice phishing malware impersonating financial institutions that are household names in South Korea. FakeCalls malware possesses the functionality of a Swiss army knife, able not only to conduct its primary aim but also to extract private data from the victim’s device.The malware developers took special care with the technical aspects of their creation as well implementing several unique and effective anti-analysis techniques. In addition, they devised mechanisms for disguised resolution of the Command-and-Control servers behind the operations. The tricks and approaches used in this particular malware can be re-used in other applications targeting other markets around the globe. I strongly recommend Android users in South Korea not to provide any personal information over the phone and be suspicious of phone calls from unknown numbers.”
How to Stay Safe:
1. Don’t provide any personal information over the phone
2. Be on the lookout for unusual pauses or delays before a person speaks
3. Avoid answering unknown phone calls
4. Ask the caller to verify or relay key facts, such as website URL or their job title
5. Don’t press any buttons or speak any responses to any prompts from an automated message, as cybercriminals can record your voice
