- Apr 24, 2016
A banking trojan for Android that researchers call Fakecalls comes with a powerful capability that enables it to take over calls to a bank’s customer support number and connect the victim directly with the cybercriminals operating the malware.
Disguised as a mobile app from a popular bank, Fakecalls displays all the marks of the entity it impersonates, including the official logo and the customer support number.
When the victim tries to call the bank, the malware breaks the connection and shows its call screen, which is almost indistinguishable from the real one.
While the victim sees the bank’s real number on the screen, the connection is to the cybercriminals, who can pose as the bank’s customer support representatives and obtain details that would give them access to the victim’s funds.
Fakecalls mobile banking trojan can do this because at the moment of installation it asks for several permissions that give it access to the contact list, microphone, camera, geolocation, and call handling.
The malware emerged last year and has been seen targeting users in South Korea, customers of popular banks like KakaoBank or Kookmin Bank (KB), security researchers at Kaspersky note in a report today.
Although it’s been active for a while, the malware has received little attention - likely due to its limited target geography - despite its fake call feature that marks a new step in the development of mobile banking threats.
While Fakecalls has been observed to support only the Korean language, which makes it easy to detect if the infected device runs with a different system language, the threat actor behind it could add more to extend to other regions.
Kaspersky’s recommendations to avoid falling victim to such malware include downloading apps only from official stores, and paying attention to potentially dangerous permissions an app asks for (access to calls, texts, accessibility), especially if the app does not need them.
Additionally, the researchers advise users to not share confidential information over the phone (login credentials, PIN, card security code, confirmation codes).