Android Users – New malware hijacks bank calls and redirects them to attackers

This article was updated on November 7 to include a statement from a Google spokesperson.

Malware development is a relentless game of cat and mouse, and Android users are once again in the crosshairs.

Initially, the FakeCall malware was a simple scam that aimed to mimic legitimate banking apps and trick users into revealing sensitive information through fake call screens.

Although social engineering was used effectively, early versions were limited to visual deception. Today, a more sophisticated version has emerged – equipped with the ability to intercept calls, record conversations and monitor device activity – making it a formidable threat capable of carrying out complex and highly convincing fraud.

The new and improved FakeCall malware

As TheHackerNews reports, the new FakeCall malware begins by tricking users into downloading what appears to be a legitimate app. Once installed, it will ask to be set as the default phone app. This step is crucial because it allows the malware to control calls on the device.

From there, when a user tries to make a call or receives a call, the malware can intercept the call and redirect it to a spoofed number controlled by attackers, making them believe they are speaking to real bank representatives.

Differences between the old and the new FakeCall

Record audio and screens

Previous versions of FakeCall primarily deceived users by displaying fake call screens and mimicking legitimate apps to give users the impression they were speaking to their bank. The new variant takes things a step further by leveraging Android’s screen recording and audio recording features. This allows attackers to spy on live conversations and potentially collect personal or financial data in real time.

Device activity monitoring

While older versions had limited monitoring capabilities, the updated malware can track more aspects of device behavior, including monitoring Bluetooth status. This not only helps attackers understand when users are active, but also makes it easier for them to predict interactions, increasing their chances of successfully extracting sensitive information.

Mimicking real user interactions

A major advance in the new variant is its seamless integration into the Android system. This ability allows the malware to mimic real user interactions, making it appear more legitimate. For example, the malware can simulate actions that a user would normally perform, such as toggling settings or responding to prompts.

This deception helps him avoid detection and makes his behavior appear natural. These new features make the latest FakeCall version more intrusive and enable complex, multi-layered fraud operations to be carried out.

Example attack scenario

Imagine John, an Android user, downloads an app that he believes is his bank’s latest mobile application. The app looks compelling, complete with logos and familiar interface elements. However, this app is infected with the new FakeCall malware. John sets it as the default dialer after a prompt suggests it will “improve call quality.”

When he calls customer service to report a suspicious transaction, the malware intercepts the call and seamlessly routes it to an attacker. On the other hand, a fraudster poses as a bank representative with a calm and authoritative tone.

John provides personal information because he believes it is necessary for verification purposes. Meanwhile, the malware secretly records audio and captures John’s screen interactions as he accesses account information or enters security codes.

John ends the call confident that the problem will be resolved. Little does he know that the attacker now has the data he needs to access his bank account, initiate transactions and jeopardize his financial security.

This seamless deception leaves no immediate clues and allows the attacker to act quickly before John realizes something is wrong.

ForbesGoogle’s live threat detection is almost here – apps will be disabled in the next 10 weeksFrom Zak Doffman

Good security practices when downloading apps

• Only download apps from trusted sourcesNote: Always use verified app stores like Google Play to minimize the risk of downloading malware. These platforms perform security audits on the apps they host, providing a layer of protection. Be wary of Android Package Kits or APKs from third-party websites as they often bypass these security measures.
• Check app permissions regularly: Review and adjust your apps’ permissions. Apps should only have access to what they need to function. For example, a weather app doesn’t need access to your calls or screen recording features. Pay particular attention to apps that request permissions for screen access, call handling, or SMS messaging, as these can be exploited by malware like FakeCall.
• Keep devices updated: Make sure your device’s operating system and any installed apps receive regular updates. Developers release updates not only for new features, but also to fix known security vulnerabilities. By updating, you reduce the risk of malware exploiting outdated software.
• Be skeptical of app requests: Always scrutinize requests for broad permissions. Malware often uses false pretenses to claim control over features such as setting the default dialer or accessing accessibility services. Only grant these permissions if you completely trust the app and understand why it needs them. For example, a photo editing app shouldn’t require the ability to make calls or read your screen.

The new and improved FakeCall malware is a reminder that cyber threats are constantly adapting, becoming more complex and harder to detect. What started as a simple scam using fake call screens to mimic banking interactions has now evolved into an advanced tool that can intercept calls, record conversations and seamlessly integrate with Android systems to mimic user behavior.

Update: November 7, 2024:

A Google spokesperson issued the following statement: “Based on our current detection, no apps containing this malware have been found on Google Play. Android users are automatically protected from known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services. “Google Play Protect can alert users or block apps that are known to exhibit malicious behavior, even if those apps come from sources outside of Play.”