Kaspersky Lab experts told about a detected banking trojan called Fakecalls. It can intercept users’ calls to financial organizations, for example, to bank support services.
According to experts, the malware masquerades as banking applications of well-known South Korean banks. The attackers may attempt to steal payment data or other sensitive information from victims under the guise of employees of a financial institution.
When a person calls a bank’s hotline, the Trojan opens a fake call screen, and then events unfold in one of two ways. First: Fakecalls connects the victim directly to the attacker, who appears to be a support staff member. The second: while the connection is going on, the Trojan plays short audio recordings in Korean. The recording could be, for example, “Hello, thank you for calling our bank. Our call center is currently handling a large volume of calls. A consultant will get back to you as soon as possible.” This allows attackers to gain the trust of victims and obtain valuable information from them during further conversations, including bank account details.
Once installed, the Fakecalls app requests many permissions, such as access to contacts, microphone, camera, geolocation and call control. With these, the malware can reset incoming calls and delete them from the history on the device, for example, if a customer is tried by a real bank representative.
Attackers use logos of real banks and show real support numbers that match those found on official bank websites. However, the authors of Fakecalls didn’t take into account that different bank customers may use different interface languages, e.g. English instead of Korean. The Trojan screen shows only the Korean version, so some users might recognize the trap;