Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New version of Android malware FakeCall redirects bank calls to scammers

The latest FakeCall malware version for Android intercepts outgoing bank calls, redirecting them to attackers to steal sensitive info and bank funds. Zimperium researchers spotted a new version of the FakeCall malware for Android that hijacks outgoing victims’ calls and redirects them to the attacker’s phone number. The malware allows operators to steal bank users’ […]

FakeCall

The latest FakeCall malware version for Android intercepts outgoing bank calls, redirecting them to attackers to steal sensitive info and bank funds.

Zimperium researchers spotted a new version of the FakeCall malware for Android that hijacks outgoing victims’ calls and redirects them to the attacker’s phone number. The malware allows operators to steal bank users’ sensitive information and money from their bank accounts.

FakeCall is a banking trojan that uses voice phishing by impersonating banks in fraudulent calls to obtain sensitive information from victims. FakeCall could also access live audio and video streams from the infected devices.

The new version enhanced evasion and data stealing capabilities, the banking trojan mainly targeted users in South Korea.

Earlier FakeCall versions tricked users into calling scammers by showing a fake bank screen with the bank’s real number. In the latest version, FakeCall sets itself as the default call handler upon installation, controlling all outgoing calls.

Zimperium reported that victims are asked to approve the malicious app as the default call handler. FakeCall mimics the Android dialer, showing trusted contact info to deceive users, secretly hijacking calls to financial institutions and redirecting them to scammers.

“The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android’s call interface showing the real bank’s phone number.” reads the report published by Zimperium. “The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s financial accounts.”

FakeCall relies on the Monitoring Dialer Activity service to monitor events from the com.skt.prod.dialer package (the stock dialer app), potentially allowing it to detect when the user is attempting to make calls using apps other than the malware itself. The malicious code is also able detecting permission prompts from the com.google.android.permissioncontroller (system permission manager) and com.android.systemui (system UI). Upon detecting specific events (e.g., TYPE_WINDOW_STATE_CHANGED), it can automatically grant permissions for the malware, bypassing user consent. Finally, the malware could give remote attackers take full control of the victim’s device UI, allowing them to simulate user interactions, such as clicks, gestures, and navigation across apps. This capability enables the attacker to manipulate the device with precision.

“This receiver functions primarily as a listener, monitoring Bluetooth status and changes. Notably, there is no immediate evidence of malicious behavior in the source code, raising questions about whether it serves as a placeholder for future functionality.” continues the report.

Zimperium has published a list of indicators of compromise (IoC) for the new malware version.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)