Online banking malware intercepts support calls

Fakecalls mimics the mobile apps of popular Korean banks, including KB (Kookmin Bank) and KakaoBank.

Cybersecurity researchers from Kaspersky Lab told about a banking Trojan called Fakecalls. In addition to the usual spy features, it has an interesting ability to “talk” to the victim, imitating communication with a bank employee.

When installed, the Trojan requests a number of permissions, including access to contacts, microphone and camera, geolocation, call processing, etc.

Unlike other banking Trojans, Fakecall can mimic phone calls to customer service. If the victim calls the bank’s hotline, the Trojan discreetly breaks the connection and opens its fake call screen instead of the normal call app. While the user suspects nothing, the attackers take control of the situation.

The only thing the Trojan can give away is a fake call screen. Fakecalls has only one interface language – Korean. This means that if a different system language is selected on the phone, the victim is likely to smell trouble.

After the call is hijacked, two scenarios are possible. In the first, Fakecalls connects the victim directly to cybercriminals, since the app has permission to make outgoing calls. In the second case, the Trojan plays a pre-recorded sound that imitates the standard bank greeting. The attackers recorded several phrases in Korean, usually uttered by employees of a voicemail or call center. The scammers, disguised as a bank employee, may try to lure payment information or other sensitive information from the victim.

In addition to outgoing calls, Fakecalls can also spoof incoming calls. When attackers want to contact the victim, the Trojan displays its screen over the system screen. As a result the user sees not the real number used by cybercriminals but the one shown by the malicious program, e.g. the bank support phone number.