Fakecalls, the trojan that pretends to be a bank app and imitates phone conversations

They warn about a Trojan that impersonates a banking application and imitates the telephone customer service of the most popular South Korean banks. Under the guise of bank employees, cybercriminals try to obtain payment data and confidential information from their victims.

This Trojan, which has been dubbed Fakecalls, unlike others can discreetly intercept calls to real banks using its own connection. Kaspersky analysts, who discovered this cyber attack, saw that when a victim calls the bank's hotline the Trojan opens its own fake call instead of the bank's real one.

There are two possible scenarios that develop after the call is intercepted: in the first, Fakecalls connects the victim directly to cybercriminals who present themselves as the bank's customer service. In the second, the Trojan plays a pre-recorded audio that mimics a standard greeting and conversation using an automated voicemail.

From time to time, Fakecalls inserts small fragments of audio in Korean. For example, “Hello. Thank you for calling our bank. Our call center is receiving a high volume of calls. An advisor will talk to you as soon as possible.” This allows them to gain the trust of their victims by making them believe that the call is real. The main purpose of these types of calls is to obtain as much confidential information as possible from victims, including bank account details.

However, attackers using this Trojan have not taken into account that some of its potential victims may use different interface languages, for example, English instead of Korean. The Fakecall screen only has a Korean version, which means that some of the users who use the English interface language will notice the threat.

The Fakecall application, disguised as a real banking application, asks for a series of permissions such as access to contacts, microphone, camera, geolocation and the management of calls. These allow the Trojan to discard incoming calls and delete them from the device history, for example, when the real bank is trying contact your customer.

The Trojan is not only able to control incoming calls but is also able to forge outgoing calls. If cybercriminals want to contact the victim, Fakecalls displays its own call screen above that of the system. In this way, the user does not see the actual number used by cybercriminals, but rather the telephone number of the bank's help desk displayed by the Trojan.

Fakecalls completely imitates the mobile applications of well-known South Korean banks. They insert real bank logos and display the banks' actual attendance numbers as they appear on the main page of their official websites.

“The cybercriminals who created Fakecalls have combined two dangerous technologies: banking Trojans and social engineering, so their victims are more likely to lose money and personal data. When you download a new mobile banking app, keep in mind what permissions it asks for. If you try to gain suspiciously excessive access to device controls, including access to call management, the application is most likely a banking Trojan,” warns Igor Golovin, Kaspersky security analyst.

Cybersecurity experts recommend the following:

1. Download only apps from official stores. Do not allow installation from unknown sources. Official stores check all programs and, if malware manages to sneak in, it is usually removed quickly.

2. Pay attention to what permissions applications ask for and whether they really need them. Unless this is a necessary requirement, it is advisable to deny permissions, especially potentially dangerous ones such as access to calls, text messages, accessibility, etc.

3. Never give confidential information over the phone. Real bank employees will never ask for credentials to access online banking, PIN, card security code or text message confirmation codes. If in doubt, go to the bank's official website and find out what employees can and cannot ask.

4. Have a trusted security solution that protects all devices from banking Trojans and other malware.

KEEP READING: