Cyble-FakeCalls-South Korea

Phishing Campaign delivers Fakecalls Android Banking Trojan

South Korean Users targeted by Fake Bank Customer Care Calls

Cyble Research & Intelligence Labs (CRIL) identified a phishing campaign targeting South Korean mobile users through a fake Google Play Store page to deliver Fakecalls Android malware.

The image below depicts a phishing page hosted on the URL: hxxp://118.170.57[.]235/ impersonating a Google Play Store website. The page shows an Android application named “National Police Agency Pol-AntiSpy 3.0”.

In the “developer name” section, the Threat Actors (TA) mentioned National Police Agency with a text hyperlink redirecting users to the legitimate National Police Agency account on the Google Play Store.

In the description, the TA claims that this application has been developed by the Cyber ​​Security Bureau of the National Police Agency to detect and delete if any spy app is installed on the device. The TA asks users to directly install the app from their website rather than the official app store. Moreover, the TAs get an additional function to analyse the risk permissions of the app and notify the users of the risk.

Figure 1 – Fake Google Play Store Delivering Malicious App

During our dynamic analysis of the downloaded Android application, we observed that this malicious application has a similar icon to the South Korean National Police Agency logo and the name National Police Agency Pol-AntiSpy 3.0.

Using the icon and title related to the South Korean Police Department, the TA tries to trick users into believing it is a legitimate application developed by the National Police Agency.

The malicious application name and icon view on the Android device screen is shown below.

Figure 2 – Application Icon and Name

Upon analyzing the APK file, we identified it as a variant of Fakecalls Android malware.

The Fakecalls Android malware is known for redirecting compromised users’ calls to a TA-controlled number where the TA pretends to be a bank’s customer care executive. It also includes several other sophisticated features to steal user-sensitive information from the Android device, such as SMSs, contact details, call logs, and neighboring cell information, including Google cell tower info.

While monitoring this campaign, we observed over 1,000 samples submitted to VirusTotal in the last few months. The below flow chart depicts month-over-month statistics of the Fakecalls Android malware samples in the wild.

Figure 3 – Fakecalls Samples Identified in the last few months

Technical Analysis

APK Metadata Information

  • App Name: National Police Agency Pol-AntiSpy 3.0
  • Package Name: com.bniterva.hoct16p
  • SHA256 Hash: 263a5c15bf82836b69ee8ccbb2cd32b88a3e1fda51451cc9c3c17d42307f9782

Manifest Description

The malware requests for 39 different permissions from the user, out of which it abuses at least 17. These dangerous permissions are listed below:

PermissionsDescription
ACCESS_NETWORK_STATEAllows the app to view information about network connections
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device
READ_SMSAccess phone messages
WRITE_SMSAllows the app to modify or delete SMS
READ_CONTACTSAccess phone contacts
PROCESS_OUTGOING_CALLSAllows the app to process outgoing calls and modify the dialing number
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage.
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device
READ_CALL_LOGAccess phone call logs
RECORD_AUDIOAllows the app to record audio with the microphone, which can be misused by attackers
ACCESS_COARSE_LOCATIONAllows the app to get the approximate location of the device network sources, such as cell towers and Wi-Fi
ACCESS_FINE_LOCATIONAllows the app to get the precise location of the device using the Global Positioning System (GPS)
READ_PHONE_NUMBERSAllows read access to the device’s phone number(s)
REQUEST_DELETE_PACKAGESAllows an application to request deleting packages
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface to confirm the call.
RECEIVE_SMSAllows an application to receive SMS messages.
DISABLE_KEYGUARDAllows the app to disable the keylock and any associated password security.

Source Code Review

Our static analysis indicates that the Fakecalls malware initially plays the bank’s pre-recorded customer care music and then redirects the user’s call to the TA. Once connected to the call, TAs can trick victims into sharing their sensitive information, including banking credentials or OTP, as they may be misled into thinking that they are speaking with a bank customer care executive.

The code snippet shown below is used by the malware to play the bank’s pre-recorded telephone music before redirecting the users’ calls to the TA.

Figure 4 – Code to Play Bank’s Telephonic Music Before Redirecting the Call

The code shown in the below snippet is used to connect the call to the TA.

Figure 5 – Code to Connect Call to the TA

Through the code shown in Figure 6, the malware records the audio through the device’s microphone and sends the data to the TA’s C&C server.

Figure 6 – Code to Record Audio using microphone

Upon receiving the command from the TA’s C&C, the malware deletes the call history from the victim’s device so that the victim cannot suspect malicious activity.

Figure 7 – Code to Delete Call Logs from victim’s device

The image below contains the code through which the malware can get phone information such as network operator details and device location from GSM or CDMA connection. Most importantly, the malware has a code that can fetch the neighboring cell information, including Google cell tower info.

Figure 8 – Code to Get Phone Info

The spyware collects the contact information saved on the victim’s device through the code below. After collecting the contact data, the TA can further extend their target or execute various malicious campaigns on those contacts.

Figure 9 – Code to Collect saved Contacts data from the victim’s device

The malware uses the code below to collect the victim’s SMS data upon receiving the command from TA’s C&C. Attackers can use stolen SMS data to perform various malicious activities such as stealing contact details, bypassing two-factor authentication, etc.

Figure 10 – Code to Collect SMSs

The code snippet below shows the malware’s capability to modify call logs present in the victim’s device. By adding or deleting the call logs, the TA can avoid raising any suspicions on the victim’s part regarding any unknown or unrecognized calls being placed from their device.

Figure 11 – Code to Modify Call Logs

Through the malware, the TA can also send SMSs to other numbers with SMS content provided by the C&C server. TAs can use this feature to send spam messages or extend their campaign by sending malicious links.

Figure 12 – Code to Send SMS from victim’s device

The malware uses the below commands to extract sensitive information from the user’s device.

Command-List
K_IMG_HOST
K_TODAY
K_CALL_ORIGINAL
K_ACCESSIBILITY_ON
K_DECL_IN
K_DELETE
K_UP_REGISTER_INFO
K_GOOGLE_ID
K_HISTORY_JSON
K_INIT_SCAN_DONE
K_READY_JSON
K_BLO_JSON
K_OUT_JSON
K_UP_SINGLE_MESSAGE_INFO
K_IN_JSON
K_ACCEPT_JSON
K_MESSAGE_BACK_UP
K_UP_CALL_INFO
K_HOST
K_APP_ID
K_SOCKET_CONNECTION
K_OUT_CALL_SWITCH
K_FORW_SETTING
K_HISTORY_MESSAGE
K_T_PERMISSION_OFF
K_WHOWHO_PERMISSION_OFF
K_GOGO_PERMISSION_OFF
K_EV_WHO_PERMISSION_OFF
K_DU_PERMISSION_OFF
K_THECALL_PERMISSION_OFF
K_BLOCK_PERMISSION_OFF
K_MOIM_PERMISSION_OFF
K_JS_KEY
K_JS_TRIAL
K_JS_CALL_DURATION
K_JS_LOGIN_TIMEOUT
K_PRESS_KEY
K_JS_VIDEO_TRIAL_TODAY
K_DEFAULT_MESSAGE
K_TOKEN
K_LATITUDE
K_LONGITUDE
K_ACCURACY
K_BLUE_OFF
K_LAST_CONTACT_DATE
K_BLOCK
K_JPU_KEY
K_UP_MEDIA
K_ALL_MESSAGE_UPLOADED
K_APPS_LIST
K_LG_WHO_PERMISSION_OFF
K_LAST_SCAN_CHECK_DATE
K_FIRST_OPEN_DATE
K_LAST_UP_REG_INFO
K_GIT_HOST
K_PERMISSION_LIST

Conclusion

Threat Actors continuously leverage novel techniques to target netbanking users to circumvent security controls. In this case, we observed them targeting Korean netbanking users to get sensitive information such as banking credentials or One-Time-Passwords (OTPs) to commit financial fraud.

According to CRIL, Fakecalls Android malware is distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Means.
Initial AccessT1444Masquerade as a Legitimate Application
ExecutionT1575Native Code
CollectionT1636.004 T1636.003 T1636.002Capture SMS MessagesCapture Contact ListCapture Call Logs
Command and ControlT1436Commonly Used Port

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
e87d4aecf9b03c63c0bea4682a916de9MD5Malicious APK
7039e44b7968a3ef621f265f57bf63203183d23dSHA1Malicious APK
263a5c15bf82836b69ee8ccbb2cd32b88a3e1fda51451cc9c3c17d42307f9782SHA256Malicious APK
hxxp://118.170.57[.]235/URLPhishing Page Delivering Fakecalls Android Sample
Scroll to Top