Imagine how scary it would be when you want to call bank customer service and the person on the other end of the phone is a hacker. The research team of Zimperium, an American mobile security company, recently released a report showing that the sophisticated Android malware “FakeCall” is now able to do this.
The Zimperium team pointed out that “FakeCall” uses a technology called voice phishing (vishing), with the goal of tricking victims into leaking sensitive information such as credit card numbers and banking information through fake phone calls and voice messages.
Researchers explained that “FakeCall” is an extremely sophisticated voice phishing attack that uses malware to almost completely control the mobile device, including intercepting any incoming and outgoing calls. Victims are tricked into calling a spoofed phone number controlled by the attacker, which also mimics the normal user experience on the device.
The first step of the “FakeCall” attack is to trick the victim into downloading an APK file through a phishing attack. The APK acts as an implant and installs a malicious payload into the device. After the victim installs the payload, the application will prompt the user Set it as the default phone calling app so it can manage incoming and outgoing calls.
What happens next?
- Identity fraud : The application will take advantage of its status as the default call processing application and can modify the dialed number and replace it with a malicious number through “setResultData()” to trick the user into making fraudulent calls.
- Hijacking calls : Malware can intercept and control incoming and outgoing calls, secretly making unauthorized connections. In this case, the user may not realize it until the app is deleted or the device is restarted.
