Cybersecurity researchers have identified a new version of FakeCall, a sophisticated Android malware family employing voice phishing (vishing) techniques to deceive users and extract sensitive information. As reported by Zimperium researcher Fernando Ortega, this malware enables attackers to manipulate mobile devices extensively, intercepting calls, capturing data, and simulating genuine user experiences to exploit victims.
What is FakeCall?
FakeCall, also tracked as FakeCalls or Letscall, has been under scrutiny since its emergence in April 2022, primarily targeting South Korean mobile users. This malware operates through deceptive dropper apps like com.qaz123789.serviceone, com.securegroup.assistant, and ouyudz.wqrecg.blxal, masquerading as legitimate applications. FakeCall leverages Android’s accessibility services API to control device functions, collect data, and gain permissions. These capabilities include reading SMS messages, accessing contacts, taking photos, recording audio and video, and even monitoring Bluetooth and screen state.
How the New Version Works
In a new twist, FakeCall prompts users to set it as the default dialer app. This allows it to intercept and manipulate calls, redirecting users to fraudulent numbers controlled by attackers. For example, when a user attempts to call their bank, the malware redirects the call to a rogue number, displaying a convincing interface that mimics the legitimate call screen and the bank’s contact details. Victims may unknowingly share sensitive information, thinking they’re speaking with their bank’s support team.
Ortega explains, "The malicious app creates a fake UI that looks like the genuine Android call interface. The victim remains unaware of the manipulation, making it easy for attackers to extract private data or gain unauthorized access to accounts."
Evolution of Vishing and Mishing Techniques
FakeCall represents an advanced approach to mishing (mobile phishing) tactics, bypassing caller identification tools that typically alert users to suspicious numbers. This evolution of FakeCall underscores the constant adaptation of malicious actors to counter improved security measures on mobile devices.
Google’s Security Initiative
To combat such threats, Google has recently begun a security initiative to block the sideloading of potentially risky apps, especially those requesting accessibility services permissions. This program, currently tested in Singapore, Thailand, Brazil, and India, aims to minimize the risk of malware by restricting app installations outside of Google Play.
As vishing and mishing tactics become increasingly sophisticated, users are advised to download apps only from trusted sources, avoid setting unfamiliar apps as default services, and remain vigilant for unusual device behaviors that could indicate malicious activity.
