www.darkreading.com Open in urlscan Pro
2606:4700::6810:e1ab  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia CybersecurityAdvertise

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global
 * Middle East & Africa

 * Asia Pacific

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events
 * Podcasts

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Podcasts
 * Reports
 * Videos
 * Webinars

 * Whitepapers
 * 
 * 
 * 
 * 
 * Partner Perspectives

SEE ALL


 * Cyberattacks & Data Breaches
 * Endpoint Security
 * Mobile Security
 * Remote Workforce


VISHING, MISHING GO NEXT-LEVEL WITH FAKECALL ANDROID MALWAREVISHING, MISHING GO
NEXT-LEVEL WITH FAKECALL ANDROID MALWARE

A new variant of the sophisticated attacker tool gives cybercriminals even more
control over victim devices to conduct various malicious activities, including
fraud and cyber espionage.

Elizabeth Montalbano, Contributing Writer

October 30, 2024

4 Min Read
Source: Brian Jackson via Alamy Stock Photo


A new variant of a sophisticated malware that helps attackers carry out advanced
voice and mobile phishing (aka vishing and mishing) attacks against Android
users has evolved with new capabilities that extend their control over
compromised devices to commit further malicious activities.

FakeCall, a malware that's been tracked by various research groups since at
least 2022, conducts the attacks by tricking victims into calling fraudulent
phone numbers controlled by the attacker, and then impersonating a typical
conversation with bank employees or other entities aimed at defrauding the user
in some way.



FakeCall's capability historically lies inherently in its design for
communicating with an attacker-controlled command-and-control (C2) server,
enabling it to execute a range of actions aimed at deceiving the end user. In
addition to allowing attackers to control a person's phone calls, it also allows
them to gain access to various permissions to Android devices for other
malicious activity.  



Researchers at Zimperium zLabs now have discovered a new variant of FakeCall
that adds novel capabilities — some of which appear to be under development —
that give attackers even more capabilities to monitor people's device activity
and control the device with even more precision, they revealed in a blog post
published today.



Related:Dark Reading Confidential: Meet the Ransomware Negotiators

The variant demonstrates attackers coming up with new and strategic ways to
create a more seamless integration with Android devices, which can help the
malware avoid detection and remain active on a user's device without them
knowing, the researchers found.




FAKECALL'S EXTENSION OF MALICIOUS CAPABILITIES

Specifically, one of the features allows for the malware to integrate with
Android's Accessibility Service to give attackers "significant control over the
user interface and the ability to capture information displayed on the screen,"
according to the post.

The feature demonstrates how attackers can evolve past simple device permissions
to abuse an even more complex attack vector, "granting attackers near-total
control to intercept calls, access sensitive data, and manipulate the user
interface," notes Jason Soroko, senior fellow at Sectigo, a provider of
certificate life-cycle management (CLM).



By seamlessly mimicking legitimate interfaces, attackers also are making
detection by users "nearly impossible," he says, highlighting a critical need
for advanced security solutions capable of detecting this threat.

Other new features extend FakeCall's persistent spyware capabilities, which have
existed since it was first discovered and set it apart from other vishing and
mishing attacks, which tend to be a one-time engagement. One of these is a
Bluetooth receiver that acts as a listener to monitor Bluetooth status and
changes, while the other is similar, but it acts as a screen receiver to monitor
the state of the device's screen.

Related:Taiwanese Facebook Biz Pages Fall to Infostealer Phishing Campaign


HOW A FAKECALL ATTACK WORKS

FakeCall was first detailed by researchers at Kaspersky in April 2022 as a
banking Trojan with extended capability to intercept calls that users make with
their banks, to create a fake customer-service experience for malicious
purposes.

The malware also had some spyware capabilities, including a feature to turn on a
device's microphone and send recordings from it to an attacker's C2 server; the
ability to secretly broadcast audio and video from the phone in real-time; and
the option to pinpoint device location.

A typical FakeCall attack begins when victims download a malicious APK file
(masquerading as a legitimate app) onto an Android mobile device through a
phishing attack, which acts as a dropper for FakeCall. When launched, the app
prompts the user to set it as the default call handler and, once designated,
attackers can manage all incoming and outgoing calls. The malware then displays
a custom interface mimicking the native Android dialer, seamlessly integrating
its malicious functionality.



Related:Canada Grapples With 'Second-to-None' PRC-Backed Threat Actors

While the primary function of FakeCall is to monitor outgoing calls and transmit
info to attackers via a C2 server, cyberattackers also can commit other
malicious activities using the malware. These include identity fraud, which can
be done by exploiting FakeCall's position as the default call handler. The
malware can modify the dialed number, replacing it with a malicious one and thus
deceiving users into making fraudulent calls.

Attackers also can use FakeCall's adversary-in-the-middle (AitM) approach to
hijack incoming and outgoing calls, to make unauthorized connections with other
mobile device users. "In this case, users may be unaware until they remove the
app or restart their device," according to the post.


DEFENDING AGAINST FAKECALL ATTACKS

As vishing and mishing attacks have become a worldwide epidemic that defrauds
users of millions of dollars annually — including even the most tech-savvy
individuals — it's imperative that people learn to defend themselves from
sophisticated versions of these attacks, experts say.

One way to do this is to scrutinize carefully any Android apps being downloaded
or used on devices, and to only acquire apps from trusted app stores, Soroko
says.

FakeCall is especially dangerous to enterprises given that mobile these days is
a primary tool for doing business. This makes compromise of that device
potentially "catastrophic," notes Mika Aalto, co-founder and CEO at Hoxhunt, a
human risk-management platform.

To avoid this scenario, the most important thing that companies can do, Aalto
says, is to "equip senior management and employees with the skills and tools to
recognize and safely report a mobile phishing attack."





ABOUT THE AUTHOR

Elizabeth Montalbano, Contributing Writer



Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing
mentor with more than 25 years of professional experience. Her areas of
expertise include technology, business, and culture. Elizabeth previously lived
and worked as a full-time journalist in Phoenix, San Francisco, and New York
City; she currently resides in a village on the southwest coast of Portugal. In
her free time, she enjoys surfing, hiking with her dogs, traveling, playing
music, yoga, and cooking.


See more from Elizabeth Montalbano, Contributing Writer
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe

You May Also Like

--------------------------------------------------------------------------------

Cyberattacks & Data Breaches

Chinese 'Tropic Trooper' APT Targets Mideast Governments
Cyberattacks & Data Breaches

City of Columbus Sues Researcher After Ransomware Attack
Cyberattacks & Data Breaches

'0.0.0.0 Day' Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk
Cyberattacks & Data Breaches

Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor
More Insights
Webinars

 * Transform Your Security Operations And Move Beyond Legacy SIEM
   
   Nov 6, 2024

 * Unleashing AI to Assess Cyber Security Risk
   
   Nov 12, 2024

 * Securing Tomorrow, Today: How to Navigate Zero Trust
   
   Nov 13, 2024

 * The State of Attack Surface Management (ASM), Featuring Forrester
   
   Nov 15, 2024

 * Applying the Principle of Least Privilege to the Cloud
   
   Nov 18, 2024

More Webinars



EDITOR'S CHOICE

A job classifieds newspaper
Application Security
Cybersecurity Job Market Stagnates, Dissatisfaction AboundsCybersecurity Job
Market Stagnates, Dissatisfaction Abounds
byTara Seals, Managing Editor, News, Dark Reading
Oct 31, 2024
4 Min Read

CrowdStrike logo on a cellphone screen
Vulnerabilities & Threats
The Case Against Abandoning CrowdStrike Post-OutageThe Case Against Abandoning
CrowdStrike Post-Outage
byVishaal "V8" Hariprasad
Oct 31, 2024
5 Min Read
Chinese Navy guided-missile destroyer Xian steams ahead
Cyberattacks & Data Breaches
China Says Seabed Sentinels Are Spying, After Trump TapsChina Says Seabed
Sentinels Are Spying, After Trump Taps
byTara Seals, Managing Editor, News, Dark Reading
Oct 31, 2024
4 Min Read

Reports

 * Managing Third-Party Risk Through Situational Awareness
   
   Jul 31, 2024

 * 2024 InformationWeek US IT Salary Report
   
   May 29, 2024

More Reports
Webinars

 * Transform Your Security Operations And Move Beyond Legacy SIEM
   
   Nov 6, 2024

 * Unleashing AI to Assess Cyber Security Risk
   
   Nov 12, 2024

 * Securing Tomorrow, Today: How to Navigate Zero Trust
   
   Nov 13, 2024

 * The State of Attack Surface Management (ASM), Featuring Forrester
   
   Nov 15, 2024

 * Applying the Principle of Least Privilege to the Cloud
   
   Nov 18, 2024

More Webinars
White Papers

 * The State of Asset Security: Uncovering Alarming Gaps & Unexpected Exposures

 * The Anatomy of a Ransomware Attack

 * Evolve Your Ransomware Defense

 * Purple AI Datasheet

 * Generative AI Gifts

More Whitepapers






DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2024 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

Home|Cookie Policy|Privacy|Terms of Use
Cookies Button


ABOUT COOKIES ON THIS SITE

We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. By clicking "Continue" or continuing to
browse our site you are agreeing to our and our partners use of cookies. For
more information seePrivacy Policy
CONTINUE




COOKIE POLICY

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Always Active

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

FUNCTIONAL COOKIES

Always Active

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

TARGETING COOKIES

Always Active

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Confirm My Choices