Mishing in Motion: Uncovering the Evolving Functionality of FakeCall Malware

Share this blog

Executive Summary

As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team has been actively tracking a new variant of a well-known malware previously reported by ThreatFabric and Kaspersky. This malware, named FakeCall, employs a technique known as Vishing (voice phishing), in which fraudulent phone calls or voice messages are used to deceive victims into disclosing sensitive information, such as login credentials, credit card numbers, or banking details.

Vishing is one form of “Mishing”, which is a term encompassing mobile-targeted  phishing techniques that attackers are increasingly using to exploit the unique features of mobile devices, such as voice calls, texting (SMS), and cameras. Mishing includes the following attack methods:

  • Vishing (voice phishing): Fraudulent voice calls used to trick users into divulging confidential information or take another dangerous action. (FakeCall, is an extremely sophisticated type of Vishing which leverages malware, coupled with fraudulent calls.)
  • Smishing (SMS phishing): Deceptive SMS messages that lure victims into clicking on malicious links or sharing sensitive data.
  • Quishing (QR code phishing): Mobile cameras exploited to deliver phishing attacks through malicious QR codes.
  • Email-based mobile phishing: Phishing emails specifically designed to be executed only when accessed through a mobile email client.

 As mentioned above, FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming and outgoing calls. Victims are tricked into calling fraudulent phone numbers controlled by the attacker and mimicking the normal user experience on the device.

How the FakeCall Vishing Attack Works:

The attack typically begins when victims download an APK file onto an Android mobile device through a phishing attack, acting as a dropper. The dropper’s primary function is to install the actual malicious payload (the second stage) onto the victim’s device. The samples we have identified belong to this second-stage malware.

FakeCall malware is designed to communicate with a Command and Control (C2) server, enabling it to execute various actions aimed at deceiving the end user. This interaction occurs through a series of message exchanges between the malware and the C2 server.

The newly discovered variants of this malware are heavily obfuscated but remain consistent with the characteristics of earlier versions.

Our investigation began with what appeared to be a straightforward task: analyzing the app’s AndroidManifest.xml file. The manifest listed numerous activities, services, and receivers (entry points) that were absent from the decompiled code. This discrepancy suggested a more complex architecture, with the sample utilizing a dynamically decrypted and loaded .dex file containing the missing code.

Our Research team dumped the .dex file from the device’s memory to get the code to perform further static analysis.

As we delved deeper, a pattern emerged. The services, receivers, and activities closely resembled those from an older malware variant with the package name com.secure.assistant. This suggested a strategic evolution – some malicious functionality had been partially migrated to native code, making detection more challenging.

To bridge this gap, we will reference code from the older variant to shed light on the behavior of the new sample. This comparative analysis will provide valuable insights into the malware’s potential capabilities.

Beyond Legacy: A Look at the Evolving Functionality

The latest variants of this malware campaign introduce new functionalities, though some appear to be still under development. Below is a summary of the features observed in the analyzed samples:

Bluetooth Receiver

This receiver functions primarily as a listener, monitoring Bluetooth status and changes. Notably, there is no immediate evidence of malicious behavior in the source code, raising questions about whether it serves as a placeholder for future functionality.

Screen Receiver

Similar to the Bluetooth receiver, this component only monitors the screen’s state (on/off) without revealing any malicious activity in the source code.

Accessibility Service

The malware incorporates a new service inherited from the Android Accessibility Service, granting it significant control over the user interface and the ability to capture information displayed on the screen. The decompiled code shows methods such as onAccessibilityEvent() and onCreate() implemented in native code, obscuring their specific malicious intent.

While the provided code snippet focuses on the service’s lifecycle methods implemented in native code, earlier versions of the malware give us clues about possible functionality:

  • Monitoring Dialer Activity: The service appears to monitor events from the com.skt.prod.dialer package (the stock dialer app), potentially allowing it to detect when the user is attempting to make calls using apps other than the malware itself.
  • Automatic Permission Granting: The service seems capable of detecting permission prompts from the com.google.android.permissioncontroller (system permission manager) and com.android.systemui (system UI). Upon detecting specific events (e.g., TYPE_WINDOW_STATE_CHANGED), it can automatically grant permissions for the malware, bypassing user consent.
  • Remote Control: The malware enables remote attackers to take full control of the victim’s device UI, allowing them to simulate user interactions, such as clicks, gestures, and navigation across apps. This capability enables the attacker to manipulate the device with precision.

Phone Listener Service

This service acts as a conduit between the malware and its Command and Control (C2) server, allowing the attacker to issue commands and execute actions on the infected device. Like its predecessor, the new variant provides attackers with a comprehensive set of capabilities (see the table below). Some functionalities have been moved to native code, while others are new additions, further enhancing the malware’s ability to compromise devices.

CommandDescriptionJSON response sent to C&C
ConnectedSend to the C&C the info about the device{
 “imei”: “Settings.System.getString(context0.getContentResolver(), android_id)”,
 “mobileNo”: “TelephonyManager.getLine1Number() or TelephonyManager.getNetworkOperatorName() (depending on the permission approved)”,
 “signal”: 0,
 “Battery”:”Get % of Battery”,
 “Network”: “NetworkManager.getTypeName() +NetworkManager.getSubtypeName()”,
 “Token”: “Token used in the exchange of commands”,
 “defaultPhoneApp”: “True/False depending if the app is the default dealer package”,
 “version”:null
}
Load settingsPerform a query to the C&C, sending the device’s IMEI to get the configuration set from the attacker for this specific device 
Send SMSSend an SMS with the content and to the phone number received from the C&C 
Delete SMSCheck if it has OP_READ_SMS permission and remove an SMS 
Upload ContactsSend a JSON with all the contacts in the victim’s device{
 “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”,
 “Totalcount”: “Number of matches”,
 “Contacts”: [{
  “Id”: “<idcontact>”,
  “Name”: “<nameContact>”,
  “Number”: “<numberContact>”
 }, {…}]
}
Upload CallLogsSend to the C&C the list of calls received and made from the device{
 “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”,
 “Totalcount”: “Number of matches”,
 “Logs”:[{
  “type”: “Call type”,
  “isNew”: “isNew”,
  “Date”: “Date of the call”,
  “duration”: “Duration of the call”,
  “number”: “PhoneNumber”,
  “Name”: “ContactName”
 }, {…}]
}
Upload SMSUpload SMS that matches the criteria received from the C&C{
 “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”,
 “Msgs”:[{
   “id”: “id”,
   “name”: “name of contact that received the SMS”,
   “number”: “number that received the SMS”
   “body”: “content of the SMS”
   “date”: “date of SMS”,
 }, {…}],
 “total”: “Number of matches”
}
Delete AppRemove a specific application from the device 
Upload LocationGet location of the device and send it to the C&C{
 “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”,
 “Location”: {
  “Longitude”: “<location.longitude>”,
  “Latitude”: “<location.latitude>”
 }
}
Start RecordUsed to start the audio recording for a specific amount of time, storing it in a file and sending it to the C&C in the end 
End CallFinish the call and return a feedback (true or false) if it managed to correctly end the call 
Upload AppInfoGet the list of all the installed apps and some information about them{
 “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”
 “Appinfos”: [{
  “icon”: “icon bitmap compressed”,
  “name”: “name application”,
  “version”: “app version”,
  “PackageName”: “PackageName”,
  “installDate”: “installation date”,
  “updateDate”: “update date”,
  “Type”: “System or Custom app”
 }, {…}],
 “total”: “Number of applications”,
 “Systemtotal”:   “Number of System apps”,
 “Customtotal”: “Number of Custom apps”
}
Live ONIt opens a live streaming of the camera. The command is expecting the bitrate of the video. After that it launches the handler LiveMuxer that creates a connection to the RTMP server. This handler use an OpenSource native library 
Live SwitchSwitch the active camera from the frontal to the rear camera and otherwise 
Live OFFClose the RTMP camera streaming connection 
Add ContactAdd a new contact in the device with the data specified from the C&C 
Delete ContactRemove contact from the device 
Delete CallLogDelete from the CallLog a specific call through its ID 
Take PicturesTake a picture from the camera and send it back to the C&C 

On the other side, the commands added in the new variant are collected in the table below. These demonstrate the malware’s ongoing development and its continued pursuit of expanding its capabilities to better serve the attacker’s interests.

CommandDescriptionJSON response sent to C&C
turnoff_bluetoothDisable Bluetooth 
get_thumbnail_listGet a list of thumbnails from the DCIM directory of the external storage and sent the following JSON to the C&C{
    “imei”: “Settings.System.getString(context0.getContentResolver(), ‘android_id’)”,
    “thumbnails”: [
        {
            “lastModified”: “date last time was modified”,
            “imagePath”: “image path”,
            “imageName”: “image name”
        } , { … }
    ],
    “total”: “Number of element in external storage excluding folder”
}
upload_thumbnail_listCompress the thumbnail listed to .jpg and upload to the C&C 
Upload_full_imageUpload a specific image indicated from a parameter received from the C&C, compressed it and send via POST 
Delete_imageDelete a specific image specified by the C&C 
Remote_homekeyUse accessibility services to simulate the press of the home button 
Remote_wakeupThis command determines whether the device’s screen is currently locked. If locked, it unlocks the device momentarily and disables auto-relocking. The command returns a value of true indicating successful unlocking. 
Remote_clickUtilize accessibility features to mimic a tap on the device at the coordinates designated by the C&C. 
Request_phoneManagerCheck what is the application set as default dialer manager 
Request_phone_callSet the malware as default dialer manager 
Remote_startInitiate a video stream capturing the screen contents of our device using the MediaProjection API 
Remote_stopTerminate the video stream transmission, thereby halting the broadcast of the infected device’s screen contents 
Remote_get_imageCapture an image of the infected device’s display by taking a screenshot 

Malware in Action

When launched, the app prompts the user to set it as the default call handler. Once designated as the default call handler, the app gains the ability to manage all incoming and outgoing calls. In conjunction with the OutgoingCallReceiver, it captures the android.intent.action.NEW_OUTGOING_CALL intent and extracts the phone number using getResultData(). The app then displays a custom interface mimicking the native com.android.dialer app, seamlessly integrating its malicious functionality.

The primary function of this application is to monitor outgoing calls and transmit this information to an external Command and Control (C2) server. However, the potential for misuse is significant:

  • Identity Fraud: By exploiting its position as the default call handler, the app can modify the dialed number, replacing it with a malicious one via the setResultData() method, deceiving users into making fraudulent calls.
  • Hijack Calls: The malware can intercept and control incoming and outgoing calls, covertly making unauthorized connections. In this case, users may be unaware until they remove the app or restart their device.

When the compromised individual attempts to contact their financial institution, the malware redirects the call to a fraudulent number controlled by the attacker. The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android’s call interface showing the real bank’s phone number. The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s financial accounts.

Zimperium vs FakeCall

Zimperium’s research team identified 13 apps and 2 dex files associated with the new FakeCall campaign. Users of Zimperium’s Mobile Threat Defense (MTD) and Runtime Protection SDK (Zimperium zDefend) are fully protected from FakeCall and these new variants, thanks to the patented Dynamic On-Device Detection Engine embedded in these solutions.

MITRE ATT&CK Techniques

TacticIDNameDescription
Initial AccessT1660PhishingThe victims are lured to install the first stage through phishing campaigns.
PersistenceT1398Boot or Logon Initialization ScriptsIt gets access to accessibility services and installs service providers.
T1541Foreground PersistencePhonelistener service is always on to get access to sensors and communicate with the C&C.
Defense EvasionT1406.002Obfuscated Files or Information: Software PackingIt is using obfuscation and packers to conceal its code.
T1407Download New Code at RuntimeStage one download and execute the second stage.
T1575Native APIMethods moved from Java to native code for increased analysis difficulty.
T1628.001Hide Artifacts: Suppress Application IconIcon of the 2nd stage not present in the launcher.
Credential AccessT1417.002Input Capture: GUI Input CaptureBy leveraging screen sharing, an attacker can surreptitiously capture and steal sensitive credentials from the compromised device.
DiscoveryT1420File and Directory DiscoveryThe malware possesses the ability to access and browse through the DCIM folder, subsequently listing and accessing thumbnail files.
T1430Location TrackingThe malware has the capability to get the victim’s current location data.
CollectionT1429Audio CaptureIt has the capability to record and exfiltrate the audio.
T1616Call ControlIt is able to control the outgoing and incoming calls.
T1417.002Input Capture: GUI Input CaptureBy leveraging screen sharing, an attacker can surreptitiously capture and steal sensitive credentials from the compromised device.
T1430Location TrackingIt gets the victim’s current location data and sends it to the C&C.
T1636.002Protected User Data: Call LogIt can get and exfiltrate the call logs.
T1636.003Protected User Data: Contact ListIt can get and exfiltrate the contact list.
T1636.004Protected User Data: SMS MessagesIt can get and exfiltrate the SMS messages.
T1513Screen CaptureIt can capture screenshots and transmit them back to its C&C.
T1512Video CaptureIt has the ability to capture video footage from the device’s camera and transmit it back to its C&C.
Command and ControlT1616Call ControlIt has the ability to control the outgoing and incoming calls from its C&C.
ExfiltrationT1646Exfiltration Over C2 ChannelIt is using HTTPS protocol to exfiltrate data.
ImpactT1616Call ControlIt has the ability to manipulate both outgoing and incoming phone calls on the affected device, allowing an attacker to seize control of the device’s communication channels.
T1582SMS ControlIt possesses the capability to read, delete, and transmit SMS messages from the compromised device.
T1516Input InjectionThe malware is capable of simulating user interactions by performing clicks on the victim’s device, allowing for remote control-like functionality.

Indicators of Compromise (IOCs)

IOCs can be found here.

Avatar photo
Malware Researcher. View the author's experience and accomplishments on LinkedIn.