Executive Summary
As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team has been actively tracking a new variant of a well-known malware previously reported by ThreatFabric and Kaspersky. This malware, named FakeCall, employs a technique known as Vishing (voice phishing), in which fraudulent phone calls or voice messages are used to deceive victims into disclosing sensitive information, such as login credentials, credit card numbers, or banking details.
Vishing is one form of “Mishing”, which is a term encompassing mobile-targeted phishing techniques that attackers are increasingly using to exploit the unique features of mobile devices, such as voice calls, texting (SMS), and cameras. Mishing includes the following attack methods:
- Vishing (voice phishing): Fraudulent voice calls used to trick users into divulging confidential information or take another dangerous action. (FakeCall, is an extremely sophisticated type of Vishing which leverages malware, coupled with fraudulent calls.)
- Smishing (SMS phishing): Deceptive SMS messages that lure victims into clicking on malicious links or sharing sensitive data.
- Quishing (QR code phishing): Mobile cameras exploited to deliver phishing attacks through malicious QR codes.
- Email-based mobile phishing: Phishing emails specifically designed to be executed only when accessed through a mobile email client.
As mentioned above, FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming and outgoing calls. Victims are tricked into calling fraudulent phone numbers controlled by the attacker and mimicking the normal user experience on the device.
How the FakeCall Vishing Attack Works:
The attack typically begins when victims download an APK file onto an Android mobile device through a phishing attack, acting as a dropper. The dropper’s primary function is to install the actual malicious payload (the second stage) onto the victim’s device. The samples we have identified belong to this second-stage malware.
FakeCall malware is designed to communicate with a Command and Control (C2) server, enabling it to execute various actions aimed at deceiving the end user. This interaction occurs through a series of message exchanges between the malware and the C2 server.
The newly discovered variants of this malware are heavily obfuscated but remain consistent with the characteristics of earlier versions.
Our investigation began with what appeared to be a straightforward task: analyzing the app’s AndroidManifest.xml file. The manifest listed numerous activities, services, and receivers (entry points) that were absent from the decompiled code. This discrepancy suggested a more complex architecture, with the sample utilizing a dynamically decrypted and loaded .dex file containing the missing code.
Our Research team dumped the .dex file from the device’s memory to get the code to perform further static analysis.
As we delved deeper, a pattern emerged. The services, receivers, and activities closely resembled those from an older malware variant with the package name com.secure.assistant. This suggested a strategic evolution – some malicious functionality had been partially migrated to native code, making detection more challenging.
To bridge this gap, we will reference code from the older variant to shed light on the behavior of the new sample. This comparative analysis will provide valuable insights into the malware’s potential capabilities.
Beyond Legacy: A Look at the Evolving Functionality
The latest variants of this malware campaign introduce new functionalities, though some appear to be still under development. Below is a summary of the features observed in the analyzed samples:
Bluetooth Receiver
This receiver functions primarily as a listener, monitoring Bluetooth status and changes. Notably, there is no immediate evidence of malicious behavior in the source code, raising questions about whether it serves as a placeholder for future functionality.
Screen Receiver
Similar to the Bluetooth receiver, this component only monitors the screen’s state (on/off) without revealing any malicious activity in the source code.
Accessibility Service
The malware incorporates a new service inherited from the Android Accessibility Service, granting it significant control over the user interface and the ability to capture information displayed on the screen. The decompiled code shows methods such as onAccessibilityEvent() and onCreate() implemented in native code, obscuring their specific malicious intent.
While the provided code snippet focuses on the service’s lifecycle methods implemented in native code, earlier versions of the malware give us clues about possible functionality:
- Monitoring Dialer Activity: The service appears to monitor events from the com.skt.prod.dialer package (the stock dialer app), potentially allowing it to detect when the user is attempting to make calls using apps other than the malware itself.
- Automatic Permission Granting: The service seems capable of detecting permission prompts from the com.google.android.permissioncontroller (system permission manager) and com.android.systemui (system UI). Upon detecting specific events (e.g., TYPE_WINDOW_STATE_CHANGED), it can automatically grant permissions for the malware, bypassing user consent.
- Remote Control: The malware enables remote attackers to take full control of the victim’s device UI, allowing them to simulate user interactions, such as clicks, gestures, and navigation across apps. This capability enables the attacker to manipulate the device with precision.
Phone Listener Service
This service acts as a conduit between the malware and its Command and Control (C2) server, allowing the attacker to issue commands and execute actions on the infected device. Like its predecessor, the new variant provides attackers with a comprehensive set of capabilities (see the table below). Some functionalities have been moved to native code, while others are new additions, further enhancing the malware’s ability to compromise devices.
Command | Description | JSON response sent to C&C |
Connected | Send to the C&C the info about the device | { “imei”: “Settings.System.getString(context0.getContentResolver(), android_id)”, “mobileNo”: “TelephonyManager.getLine1Number() or TelephonyManager.getNetworkOperatorName() (depending on the permission approved)”, “signal”: 0, “Battery”:”Get % of Battery”, “Network”: “NetworkManager.getTypeName() +NetworkManager.getSubtypeName()”, “Token”: “Token used in the exchange of commands”, “defaultPhoneApp”: “True/False depending if the app is the default dealer package”, “version”:null } |
Load settings | Perform a query to the C&C, sending the device’s IMEI to get the configuration set from the attacker for this specific device | |
Send SMS | Send an SMS with the content and to the phone number received from the C&C | |
Delete SMS | Check if it has OP_READ_SMS permission and remove an SMS | |
Upload Contacts | Send a JSON with all the contacts in the victim’s device | { “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”, “Totalcount”: “Number of matches”, “Contacts”: [{ “Id”: “<idcontact>”, “Name”: “<nameContact>”, “Number”: “<numberContact>” }, {…}] } |
Upload CallLogs | Send to the C&C the list of calls received and made from the device | { “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”, “Totalcount”: “Number of matches”, “Logs”:[{ “type”: “Call type”, “isNew”: “isNew”, “Date”: “Date of the call”, “duration”: “Duration of the call”, “number”: “PhoneNumber”, “Name”: “ContactName” }, {…}] } |
Upload SMS | Upload SMS that matches the criteria received from the C&C | { “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”, “Msgs”:[{ “id”: “id”, “name”: “name of contact that received the SMS”, “number”: “number that received the SMS” “body”: “content of the SMS” “date”: “date of SMS”, }, {…}], “total”: “Number of matches” } |
Delete App | Remove a specific application from the device | |
Upload Location | Get location of the device and send it to the C&C | { “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”, “Location”: { “Longitude”: “<location.longitude>”, “Latitude”: “<location.latitude>” } } |
Start Record | Used to start the audio recording for a specific amount of time, storing it in a file and sending it to the C&C in the end | |
End Call | Finish the call and return a feedback (true or false) if it managed to correctly end the call | |
Upload AppInfo | Get the list of all the installed apps and some information about them | { “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)” “Appinfos”: [{ “icon”: “icon bitmap compressed”, “name”: “name application”, “version”: “app version”, “PackageName”: “PackageName”, “installDate”: “installation date”, “updateDate”: “update date”, “Type”: “System or Custom app” }, {…}], “total”: “Number of applications”, “Systemtotal”: “Number of System apps”, “Customtotal”: “Number of Custom apps” } |
Live ON | It opens a live streaming of the camera. The command is expecting the bitrate of the video. After that it launches the handler LiveMuxer that creates a connection to the RTMP server. This handler use an OpenSource native library | |
Live Switch | Switch the active camera from the frontal to the rear camera and otherwise | |
Live OFF | Close the RTMP camera streaming connection | |
Add Contact | Add a new contact in the device with the data specified from the C&C | |
Delete Contact | Remove contact from the device | |
Delete CallLog | Delete from the CallLog a specific call through its ID | |
Take Pictures | Take a picture from the camera and send it back to the C&C |
On the other side, the commands added in the new variant are collected in the table below. These demonstrate the malware’s ongoing development and its continued pursuit of expanding its capabilities to better serve the attacker’s interests.
Command | Description | JSON response sent to C&C |
turnoff_bluetooth | Disable Bluetooth | |
get_thumbnail_list | Get a list of thumbnails from the DCIM directory of the external storage and sent the following JSON to the C&C | { “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”, “thumbnails”: [ { “lastModified”: “date last time was modified”, “imagePath”: “image path”, “imageName”: “image name” } , { … } ], “total”: “Number of element in external storage excluding folder” } |
upload_thumbnail_list | Compress the thumbnail listed to .jpg and upload to the C&C | |
Upload_full_image | Upload a specific image indicated from a parameter received from the C&C, compressed it and send via POST | |
Delete_image | Delete a specific image specified by the C&C | |
Remote_homekey | Use accessibility services to simulate the press of the home button | |
Remote_wakeup | This command determines whether the device’s screen is currently locked. If locked, it unlocks the device momentarily and disables auto-relocking. The command returns a value of true indicating successful unlocking. | |
Remote_click | Utilize accessibility features to mimic a tap on the device at the coordinates designated by the C&C. | |
Request_phoneManager | Check what is the application set as default dialer manager | |
Request_phone_call | Set the malware as default dialer manager | |
Remote_start | Initiate a video stream capturing the screen contents of our device using the MediaProjection API | |
Remote_stop | Terminate the video stream transmission, thereby halting the broadcast of the infected device’s screen contents | |
Remote_get_image | Capture an image of the infected device’s display by taking a screenshot |
Malware in Action
When launched, the app prompts the user to set it as the default call handler. Once designated as the default call handler, the app gains the ability to manage all incoming and outgoing calls. In conjunction with the OutgoingCallReceiver, it captures the android.intent.action.NEW_OUTGOING_CALL intent and extracts the phone number using getResultData(). The app then displays a custom interface mimicking the native com.android.dialer app, seamlessly integrating its malicious functionality.
The primary function of this application is to monitor outgoing calls and transmit this information to an external Command and Control (C2) server. However, the potential for misuse is significant:
- Identity Fraud: By exploiting its position as the default call handler, the app can modify the dialed number, replacing it with a malicious one via the setResultData() method, deceiving users into making fraudulent calls.
- Hijack Calls: The malware can intercept and control incoming and outgoing calls, covertly making unauthorized connections. In this case, users may be unaware until they remove the app or restart their device.
When the compromised individual attempts to contact their financial institution, the malware redirects the call to a fraudulent number controlled by the attacker. The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android’s call interface showing the real bank’s phone number. The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s financial accounts.
Zimperium vs FakeCall
Zimperium’s research team identified 13 apps and 2 dex files associated with the new FakeCall campaign. Users of Zimperium’s Mobile Threat Defense (MTD) and Runtime Protection SDK (Zimperium zDefend) are fully protected from FakeCall and these new variants, thanks to the patented Dynamic On-Device Detection Engine embedded in these solutions.
MITRE ATT&CK Techniques
Tactic | ID | Name | Description |
Initial Access | T1660 | Phishing | The victims are lured to install the first stage through phishing campaigns. |
Persistence | T1398 | Boot or Logon Initialization Scripts | It gets access to accessibility services and installs service providers. |
T1541 | Foreground Persistence | Phonelistener service is always on to get access to sensors and communicate with the C&C. | |
Defense Evasion | T1406.002 | Obfuscated Files or Information: Software Packing | It is using obfuscation and packers to conceal its code. |
T1407 | Download New Code at Runtime | Stage one download and execute the second stage. | |
T1575 | Native API | Methods moved from Java to native code for increased analysis difficulty. | |
T1628.001 | Hide Artifacts: Suppress Application Icon | Icon of the 2nd stage not present in the launcher. | |
Credential Access | T1417.002 | Input Capture: GUI Input Capture | By leveraging screen sharing, an attacker can surreptitiously capture and steal sensitive credentials from the compromised device. |
Discovery | T1420 | File and Directory Discovery | The malware possesses the ability to access and browse through the DCIM folder, subsequently listing and accessing thumbnail files. |
T1430 | Location Tracking | The malware has the capability to get the victim’s current location data. | |
Collection | T1429 | Audio Capture | It has the capability to record and exfiltrate the audio. |
T1616 | Call Control | It is able to control the outgoing and incoming calls. | |
T1417.002 | Input Capture: GUI Input Capture | By leveraging screen sharing, an attacker can surreptitiously capture and steal sensitive credentials from the compromised device. | |
T1430 | Location Tracking | It gets the victim’s current location data and sends it to the C&C. | |
T1636.002 | Protected User Data: Call Log | It can get and exfiltrate the call logs. | |
T1636.003 | Protected User Data: Contact List | It can get and exfiltrate the contact list. | |
T1636.004 | Protected User Data: SMS Messages | It can get and exfiltrate the SMS messages. | |
T1513 | Screen Capture | It can capture screenshots and transmit them back to its C&C. | |
T1512 | Video Capture | It has the ability to capture video footage from the device’s camera and transmit it back to its C&C. | |
Command and Control | T1616 | Call Control | It has the ability to control the outgoing and incoming calls from its C&C. |
Exfiltration | T1646 | Exfiltration Over C2 Channel | It is using HTTPS protocol to exfiltrate data. |
Impact | T1616 | Call Control | It has the ability to manipulate both outgoing and incoming phone calls on the affected device, allowing an attacker to seize control of the device’s communication channels. |
T1582 | SMS Control | It possesses the capability to read, delete, and transmit SMS messages from the compromised device. | |
T1516 | Input Injection | The malware is capable of simulating user interactions by performing clicks on the victim’s device, allowing for remote control-like functionality. |
Indicators of Compromise (IOCs)
IOCs can be found here.