• Sun. Aug 20th, 2023

Fakecalls Ransomware is Still Attacking Android Systems Using New Ways

Jun 2, 2023
Fakecalls Ransomware is Still Attacking Android Systems Using New Ways
Esme Greene

The FakeCalls Trojan has been updated and can currently spoof apps that are legitimate.

FakeCalls malware, infamous for attacking Android users in South Korea, has altered its strategies in order to avoid detection by antivirus applications. Previously targeting South Korean enterprises utilizing phony applications, FakeCalls is now using authentic app signing keys to avoid signature-based detection systems.

Based on reports, McAfee’s FakeCalls campaign makes use of keys taken from a legitimate South Korean app. Fake apps that use this key pose as legitimate banking apps and even use their iconography.

How the Malware Functions

FakeCalls encrypts its source code with a layer to evade identification. The source code was deciphered, revealing many malicious functionality:

  • FakeCalls attempts to set up a different program once it is launched and requests the necessary rights. The asset directory houses the installed program under the form of a “Introduction[.]html” HTML file.
  • The user is prompted by this payload for a number of extra rights, including authorization to access private information on the infected gadget.
  • The software next registers the mobile device for a number of services before connecting to the C2 server to get additional commands.

FakeCalls’ methods for getting around cybersecurity are always getting better. The capacity to replicate legal programs has also been strengthened by the usage of authentic application keys. Professionals advise always installing programs from reputable, authorized websites in order to keep safe.

FakeCalls are disseminated in fraudulent banking apps that spoof well-known Korean financial organizations, leading the victims to believe they are using a reputable application.

The attack starts with the target being offered a loan with a cheap rate of interest through the app. When the user expresses curiosity, the virus places a call, which delivers an audio recording of the bank’s actual client service representative and contains directions on how to process the request for a loan.