{"id":19517,"date":"2022-04-11T14:16:11","date_gmt":"2022-04-11T10:16:11","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/fakecalls-banking-trojan\/19517\/"},"modified":"2022-04-11T14:16:52","modified_gmt":"2022-04-11T10:16:52","slug":"fakecalls-banking-trojan","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/fakecalls-banking-trojan\/19517\/","title":{"rendered":"Fakecalls: a talking Trojan"},"content":{"rendered":"

Cybercriminals are always coming up with ever more sophisticated malware. Last year, for example, saw the appearance of an unusual banking Trojan called Fakecalls. Besides the usual spying features, it has an interesting ability to \u201ctalk\u201d with the victim in the guise of a bank employee. There is little information about Fakecalls online, so we decided to shed some light on its capabilities.<\/p>\n

Trojan in disguise<\/h2>\n

Fakecalls mimics the mobile apps of popular Korean banks, among them KB (Kookmin Bank) and KakaoBank. Curiously, in addition to the usual logos, the Trojan\u2019s creators display the support numbers of the respective banks on the Fakecalls screen. These phone numbers appear to be real \u2014 the number 1599-3333, for instance, can be found on the main page of the KakaoBank official website.<\/p>\n

\"The<\/a>

The Trojan imitates the KB (left) and KakaoBank (right) banking apps<\/p><\/div>\n

When installed, the Trojan immediately requests a whole host of permissions, including access to contacts, microphone and camera, geolocation, call handling, and so on.<\/p>\n

Calling the bank<\/h2>\n

Unlike other banking Trojans, Fakecalls can imitate phone conversations with customer support. If the victim calls the bank\u2019s hotline, the Trojan discreetly breaks the connection and opens its own fake call screen instead of the regular calling app. The call appears to be normal, but in fact the attackers are now in control.<\/p>\n

The only thing that might give away the Trojan at this stage is the fake call screen. Fakecalls has only one interface language: Korean. This means that if another system language is selected on the phone \u2014 say, English \u2014 the victim will likely smell a rat.<\/p>\n

\"The<\/a><\/p>\n

After the call is intercepted, there are two possible scenarios. In the first, Fakecalls connects the victim directly with the cybercriminals, since the app has permission to make outgoing calls. In the second, the Trojan plays prerecorded audio imitating the standard greeting from the bank.<\/p>\n

\"Fakecalls<\/a>

Fakecalls code fragment that plays prerecorded audio during an outgoing call<\/p><\/div>\n

So that the Trojan maintains a realistic dialogue with the victim, the cybercriminals have recorded several phrases (in Korean) typically uttered by voicemail or call-center employees. For example, the victim might hear something like this: \u201cHello. Thank you for calling KakaoBank. Our call center is currently receiving an unusually large volume of calls. A consultant will speak to you as soon as possible. <...> To improve the quality of the service, your conversation will be recorded.\u201d Or: \u201cWelcome to Kookmin Bank. Your conversation will be recorded. We will now connect you with an operator.\u201d<\/...><\/p>\n

After that, the attackers, under the guise of a bank employee, can try to coax payment data or other confidential information out of the victim.<\/p>\n

Besides outgoing calls, Fakecalls can spoof incoming calls as well. When the cybercriminals want to contact the victim, the Trojan displays its own screen over the system one. As a result, the user sees not the real number used by the cybercriminals, but the one shown by the Trojan, such as the phone number of the bank\u2019s support service.<\/p>\n

Spyware toolkit<\/h2>\n

In addition to mimicking telephone customer support, Fakecalls has features more typical of banking Trojans. For example, at the attackers\u2019 command, the malware can turn on the victim\u2019s phone\u2019s microphone and send recordings from it to their server, as well as secretly broadcast audio and video from the phone in real time.<\/p>\n

That\u2019s not all. Remember the permissions the Trojan asked for during installation? The cybercriminals can use them to determine the device\u2019s location, copy the contacts list or files (including photos and videos) from the phone to their server, and access the call and text message history.<\/p>\n

These permissions allow the malware not only to spy on the user, but to control their device to a certain extent, giving the Trojan the ability to drop incoming calls and delete them from the history. This allows the scammers, among other things, to block and hide real calls from banks.<\/p>\n

Kaspersky solutions detect this malware with the verdict Trojan-Banker.AndroidOS.Fakecalls, and safeguards the device.<\/p>\n

How to stay protected<\/h2>\n

To prevent your personal data and money from falling into cybercriminal hands, follow these simple tips:<\/p>\n