FakeCalls Vishing Malware Targets South Korean Users via Popular Financial Apps


Once again, a fraudulent Android voice phishing campaign called FakeCalls has emerged. Its target is South Korean users who are deceived by the app's disguise as over 20 well-known financial applications.

According to Check Point, the FakeCalls malware is like a versatile tool that can perform not only its main task but also collect sensitive information from the targeted device.

In April 2022, Kaspersky reported on FakeCalls, a malware that can simulate phone conversations with bank customer support agents.

During the reported assaults, individuals who download the counterfeit banking software are lured into contacting the relevant financial organization by being promised a bogus loan with low interest.

When the phone call is made, a pre-recorded message with directions from the legitimate bank is played, while the malware replaces the bank's phone number with their real number to make it seem like a conversation with an actual bank employee is taking place. I'm sorry, there is no paragraph provided for me to paraphrase. Please provide the necessary details or context.

The main objective of the scheme is to obtain the credit card details of the victim, something that the perpetrators assert is necessary in order to meet the criteria for a fictitious loan.

The harmful application asks for excessive permissions to gather private information, such as live recordings of audio and video from the infected device, and sends them to a distant server.

The newest FakeCalls examples utilize different strategies to avoid detection. A technique they use involves placing many files into nested directories within the APK's asset folder, which makes the file path and name exceed the 300-character limit.

According to Check Point, the creators of the malware paid close attention to its technical features and incorporated various effective strategies to prevent it from being analyzed. Additionally, they created methods for concealing the identity of the command-and-control servers used in their operations.

Although the attack is specifically aimed at South Korea, the cybersecurity firm has cautioned that the same strategies could be adapted to target other parts of the globe.

In addition, Cyble has provided information about two types of Android banking trojans known as Nexus and GoatRAT, which have the ability to collect valuable information and engage in fraudulent financial activities.

Nexus, which is a newly named edition of SOVA, has an added feature of ransomware that encodes stored documents and can exploit Android's accessibility services to obtain seed phrases from digital currency wallets.

On the other hand, GoatRAT is specifically made to attack banks in Brazil and is part of a group that includes BrasDex and PixPirate. They carry out fraudulent money transfers through the PIX payment platform while using a false pop-up window to conceal their actions.

The progress is a component of an expanding pattern where those who pose a threat have released more and more advanced banking malware in order to carry out illicit money transfers automatically on devices that have been infected.

According to Kaspersky, a cybersecurity firm, they have identified 196,476 fresh instances of mobile banking trojans and 10,543 new cases of mobile ransomware trojans in the year 2022. In terms of countries that are the most affected by mobile malware, including adware, China, Syria, Iran, Yemen and Iraq are at the top.

Mobile financial threats have affected several countries worldwide, including Spain, Saudi Arabia, Australia, Turkey, China, Switzerland, Japan, Colombia, Italy and India leading the list.

According to Kaspersky researcher Tatyana Shishkova, while the number of malware installers is decreasing, the rising trend of mobile banking Trojans suggests that cybercriminals are now more interested in making money from financial scams.

Post a Comment

Previous Post Next Post