Android Banking Malware (fakecalls) that intercepts calls to customer support

Background

A new banking malware that affects devices running the android OS has been discovered by researchers. The trojan known as “Fake Calls”, mimics banking mobile apps on a victim’s device and takes over calls to a bank’s customer support number, connecting the victim directly to the cybercriminals operating the malware. When the victim tries to call the bank, the malware breaks the connection and shows its call screen, which is almost indistinguishable from the real one.

During installation, Fake Calls immediately requests a whole host of permissions, including access to contacts, microphone and camera, geolocation and call handling, allowing the cybercriminals to spy on its victims. Fakecalls connects the victim directly with the cybercriminals since the app has permission to make outgoing calls. The Trojan can also play prerecorded audio imitating the standard greeting from the bank. The attackers, under the guise of a bank employee, try to coax payment data or other confidential information out of the victim

Besides outgoing calls, Fakecalls can spoof incoming calls as well. When the cybercriminals want to contact the victim, the Trojan displays its own screen over the system one. As a result, the user does not see the real number used by the cybercriminals, but the one shown by the Trojan, such as the phone number of the bank’s support service.

Impact

The malware gives complete control of the victim’s device to the attacker, and this can lead to privacy invasion and information gathering to aid in further attacks.

Systems / Technologies affected

This malware affects all Android devices

Recommendation

  • Android users are advised to stay clear off applications that seem too good to be true.
  • It is also necessary for Android users to check reviews of other people to help avoid downloading malicious apps.
  • Download apps only from official stores and do not allow installations from unknown sources.
  • Pay attention to what permissions apps ask for and whether they really need them.
  • Never give confidential information over the phone (login credentials, PIN, card security code, confirmation codes)