Fresh Vishing Campaign Targeting South Korean UsersVictims Lured Using Loan Offer with a Low Interest Rate
Criminal hackers are targeting South Koreans with an Android Trojan that masquerades as nearly two dozen financial applications, duping victims into handing over payment card data by faking phone conversations with lenders.
The Trojan is appropriately named FakeCalls, a Check Point research report says. Voice phishing attacks are widespread in South Korea. The Chosun Ilbo in 2020 said that reported losses from fraudsters pretending to be banks amounted to 1.7 trillion Korean won over five years. Today, that amount would equal about $1.3 billion. Kaspersky also raised an alarm over the FakeCalls Trojan in 2022, saying it had an "interesting ability to 'talk' with the victim in the guise of a bank employee." It interrupts calls to legitimate bank customer service by breaking the connection and opening its own fake call screen.
Check Point researchers said they discovered more than 2,500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations. Developers are taking steps to protect their malware from detection, using "several unique evasions that we had not previously seen in the wild," they said.
The campaign begins with an offer for a low-interest loan. Once the victim takes the bait, the malware initiates a prerecorded audio from the banking institute to confirm details of the loan approval.
"Once the trust is established, the victim is tricked into 'confirming' the credit card details in the hope of qualifying for the fake loan," researchers say.
In the second stage of the attack, malware operators use a prerecorded audio track that imitates instructions from the bank. The Check Point researchers observed that different tracks are embedded into different malware samples related to various imitated financial organizations.
The malware can capture live audio and video streams from the device's camera to command-and-control servers with the help of an open-source library such as GitHub and by using a command called "stream."
The researchers found three unique tricks meant to frustrate analysis of the malware. The first mechanism is called "multi-disk" despite the fact that the Android package file cannot be split into multi-disk archives. The technique is meant to confuse analysis tools by setting an exaggerated number in the end of the central directory record.
Developers also planted a malformed file purporting to be the Android Manifest file - an XML file that Google says every app must feature, which contains declarations such as app components and permissions. The malformed file contains a number of errors meant to break the decoding process.
The developers also planted a large number of nested files inside the Android package file, inflating the file name and file path to a length meant to break the logic of APK decompilers.
The Check Point researchers say they nonetheless decompiled the malware.
FakeCalls developers also took pains to keep their real command-and-control servers hidden by using legitimate web services such as Google Drive to relay the real C2 configuration.