Cybersecurity researchers from Kaspersky Lab told about a banking Trojan called Fakecalls. In addition to the usual spy functions, he has an interesting ability to “talk” with the victim, imitating communication with a bank employee.
Fakecalls simulates mobile applications of popular Korean banks, including KB (Kookmin Bank) and KakaoBank. In addition to the usual logos, the Trojan creators display the support service numbers of the respective banks on the Fakecalls screen. The phone numbers seem real (one of the numbers can be found on the main page of the official KakaoBank website).
When installed, the Trojan requests a number of permissions, including access to contacts, microphone and camera, geolocation, call processing, etc.
Unlike other banking Trojans, Fakecall can simulate phone conversations with customer support. If the victim calls the bank’s hotline, the Trojan imperceptibly breaks the connection and opens its fake call screen instead of the usual call application. While the user does not suspect anything, the attackers take the situation into their own hands.
The only thing that can give out a Trojan is a fake call screen. Fakecalls has only one interface language — Korean. This means that if a different system language is selected on the phone, then the victim is likely to smell something amiss.
After the call is intercepted, two scenarios are possible. In the first, Fakecalls connects the victim directly with cybercriminals, since the application has permission to make outgoing calls. In the second case, the Trojan reproduces a pre-recorded sound imitating the standard greeting of the bank. The attackers recorded several phrases in Korean, usually spoken by voicemail or call center employees. Fraudsters under the guise of a bank employee may try to extort payment data or other confidential information from the victim.
Besides outgoing calls, Fakecalls can also fake incoming calls. When attackers want to contact the victim, the Trojan displays its screen on top of the system one. As a result, the user does not see the real number used by the attackers, but the one that shows the malware, for example, the phone number of the bank’s support service.