South Korean Users targeted by Fake Bank Customer Care Calls
Cyble Research & Intelligence Labs (CRIL) identified a phishing campaign targeting South Korean mobile users through a fake Google Play Store page to deliver Fakecalls Android malware.
The image below depicts a phishing page hosted on the URL: hxxp://118.170.57[.]235/ impersonating a Google Play Store website. The page shows an Android application named “National Police Agency Pol-AntiSpy 3.0”.
In the “developer name” section, the Threat Actors (TA) mentioned National Police Agency with a text hyperlink redirecting users to the legitimate National Police Agency account on the Google Play Store.
In the description, the TA claims that this application has been developed by the Cyber Security Bureau of the National Police Agency to detect and delete if any spy app is installed on the device. The TA asks users to directly install the app from their website rather than the official app store. Moreover, the TAs get an additional function to analyse the risk permissions of the app and notify the users of the risk.
During our dynamic analysis of the downloaded Android application, we observed that this malicious application has a similar icon to the South Korean National Police Agency logo and the name National Police Agency Pol-AntiSpy 3.0.
Using the icon and title related to the South Korean Police Department, the TA tries to trick users into believing it is a legitimate application developed by the National Police Agency.
The malicious application name and icon view on the Android device screen is shown below.
Upon analyzing the APK file, we identified it as a variant of Fakecalls Android malware.
The Fakecalls Android malware is known for redirecting compromised users’ calls to a TA-controlled number where the TA pretends to be a bank’s customer care executive. It also includes several other sophisticated features to steal user-sensitive information from the Android device, such as SMSs, contact details, call logs, and neighboring cell information, including Google cell tower info.
While monitoring this campaign, we observed over 1,000 samples submitted to VirusTotal in the last few months. The below flow chart depicts month-over-month statistics of the Fakecalls Android malware samples in the wild.
Technical Analysis
APK Metadata Information
- App Name: National Police Agency Pol-AntiSpy 3.0
- Package Name: com.bniterva.hoct16p
- SHA256 Hash: 263a5c15bf82836b69ee8ccbb2cd32b88a3e1fda51451cc9c3c17d42307f9782
Manifest Description
The malware requests for 39 different permissions from the user, out of which it abuses at least 17. These dangerous permissions are listed below:
| Permissions | Description |
| ACCESS_NETWORK_STATE | Allows the app to view information about network connections |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device |
| READ_SMS | Access phone messages |
| WRITE_SMS | Allows the app to modify or delete SMS |
| READ_CONTACTS | Access phone contacts |
| PROCESS_OUTGOING_CALLS | Allows the app to process outgoing calls and modify the dialing number |
| READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device’s external storage. |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device |
| READ_CALL_LOG | Access phone call logs |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which can be misused by attackers |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources, such as cell towers and Wi-Fi |
| ACCESS_FINE_LOCATION | Allows the app to get the precise location of the device using the Global Positioning System (GPS) |
| READ_PHONE_NUMBERS | Allows read access to the device’s phone number(s) |
| REQUEST_DELETE_PACKAGES | Allows an application to request deleting packages |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface to confirm the call. |
| RECEIVE_SMS | Allows an application to receive SMS messages. |
| DISABLE_KEYGUARD | Allows the app to disable the keylock and any associated password security. |
Source Code Review
Our static analysis indicates that the Fakecalls malware initially plays the bank’s pre-recorded customer care music and then redirects the user’s call to the TA. Once connected to the call, TAs can trick victims into sharing their sensitive information, including banking credentials or OTP, as they may be misled into thinking that they are speaking with a bank customer care executive.
The code snippet shown below is used by the malware to play the bank’s pre-recorded telephone music before redirecting the users’ calls to the TA.
The code shown in the below snippet is used to connect the call to the TA.
Through the code shown in Figure 6, the malware records the audio through the device’s microphone and sends the data to the TA’s C&C server.
Upon receiving the command from the TA’s C&C, the malware deletes the call history from the victim’s device so that the victim cannot suspect malicious activity.
The image below contains the code through which the malware can get phone information such as network operator details and device location from GSM or CDMA connection. Most importantly, the malware has a code that can fetch the neighboring cell information, including Google cell tower info.
The spyware collects the contact information saved on the victim’s device through the code below. After collecting the contact data, the TA can further extend their target or execute various malicious campaigns on those contacts.
The malware uses the code below to collect the victim’s SMS data upon receiving the command from TA’s C&C. Attackers can use stolen SMS data to perform various malicious activities such as stealing contact details, bypassing two-factor authentication, etc.
The code snippet below shows the malware’s capability to modify call logs present in the victim’s device. By adding or deleting the call logs, the TA can avoid raising any suspicions on the victim’s part regarding any unknown or unrecognized calls being placed from their device.
Through the malware, the TA can also send SMSs to other numbers with SMS content provided by the C&C server. TAs can use this feature to send spam messages or extend their campaign by sending malicious links.
The malware uses the below commands to extract sensitive information from the user’s device.
| Command-List |
| K_IMG_HOST |
| K_TODAY |
| K_CALL_ORIGINAL |
| K_ACCESSIBILITY_ON |
| K_DECL_IN |
| K_DELETE |
| K_UP_REGISTER_INFO |
| K_GOOGLE_ID |
| K_HISTORY_JSON |
| K_INIT_SCAN_DONE |
| K_READY_JSON |
| K_BLO_JSON |
| K_OUT_JSON |
| K_UP_SINGLE_MESSAGE_INFO |
| K_IN_JSON |
| K_ACCEPT_JSON |
| K_MESSAGE_BACK_UP |
| K_UP_CALL_INFO |
| K_HOST |
| K_APP_ID |
| K_SOCKET_CONNECTION |
| K_OUT_CALL_SWITCH |
| K_FORW_SETTING |
| K_HISTORY_MESSAGE |
| K_T_PERMISSION_OFF |
| K_WHOWHO_PERMISSION_OFF |
| K_GOGO_PERMISSION_OFF |
| K_EV_WHO_PERMISSION_OFF |
| K_DU_PERMISSION_OFF |
| K_THECALL_PERMISSION_OFF |
| K_BLOCK_PERMISSION_OFF |
| K_MOIM_PERMISSION_OFF |
| K_JS_KEY |
| K_JS_TRIAL |
| K_JS_CALL_DURATION |
| K_JS_LOGIN_TIMEOUT |
| K_PRESS_KEY |
| K_JS_VIDEO_TRIAL_TODAY |
| K_DEFAULT_MESSAGE |
| K_TOKEN |
| K_LATITUDE |
| K_LONGITUDE |
| K_ACCURACY |
| K_BLUE_OFF |
| K_LAST_CONTACT_DATE |
| K_BLOCK |
| K_JPU_KEY |
| K_UP_MEDIA |
| K_ALL_MESSAGE_UPLOADED |
| K_APPS_LIST |
| K_LG_WHO_PERMISSION_OFF |
| K_LAST_SCAN_CHECK_DATE |
| K_FIRST_OPEN_DATE |
| K_LAST_UP_REG_INFO |
| K_GIT_HOST |
| K_PERMISSION_LIST |
Conclusion
Threat Actors continuously leverage novel techniques to target netbanking users to circumvent security controls. In this case, we observed them targeting Korean netbanking users to get sensitive information such as banking credentials or One-Time-Passwords (OTPs) to commit financial fraud.
According to CRIL, Fakecalls Android malware is distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Means. |
| Initial Access | T1444 | Masquerade as a Legitimate Application |
| Execution | T1575 | Native Code |
| Collection | T1636.004 T1636.003 T1636.002 | Capture SMS MessagesCapture Contact ListCapture Call Logs |
| Command and Control | T1436 | Commonly Used Port |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| e87d4aecf9b03c63c0bea4682a916de9 | MD5 | Malicious APK |
| 7039e44b7968a3ef621f265f57bf63203183d23d | SHA1 | Malicious APK |
| 263a5c15bf82836b69ee8ccbb2cd32b88a3e1fda51451cc9c3c17d42307f9782 | SHA256 | Malicious APK |
| hxxp://118.170.57[.]235/ | URL | Phishing Page Delivering Fakecalls Android Sample |
