New FakeCall malware variant hijacks your bank phone calls and your entire device

01 Nov 2024, 15:20 by Chris Thomas · Android Police

Key Takeaways

FakeCall malware campaign resurfaces with enhanced vishing tactics, posing as bank employees.
Attack employs various phishing techniques like smishing and quishing, redirecting calls to a fake call center run by hackers.
Protect yourself by avoiding links in suspicious messages, using secure portals, and being cautious of side-loading apps.

A particularly malignant malware campaign known to researchers since at least 2022 has reared its head again, this time with troublesome new techniques and capabilities. FakeCall, first identified as Letscall, leverages sophisticated exploits to jeopardize security once it takes hold of a device, and now utilizes vishing, or voice phishing, to gather victims' sensitive information (via DarkReading). The hackers go so far as to pose as bank employees after rerouting users' phone calls to its own call center, instead of the financial insitution they were meant for.

Vishing, smishing, and quishing: Fraud in the 2020s

As if SMS phishing wasn't bad enough

Source: Google

While Google has taken measures to reduce the potential harm of side-loading by making it more difficult, FakeCall attempts to sidestep those protections by emulating the Play Store and tricking users into downloading malware-infected apps. Once compromised, a device is open to a vast range of hacks, essentially giving the perpetrators full access to pretty much every aspect of the phone. That includes capturing and uploading images, recording audio and video, redirecting outgoing calls, and much more.

Android security patches don't matter as much as you think

You're not that screwed when they stop

FakeCall has used similar tactics over the two years it's been tracked. After installing the hacked software, a device can be used by hackers to engage in fraud such as requesting a loan on the victim's behalf. If and when the user notices the activity and calls their bank, the malware redirects the call to a dedicated call center, where criminals act as bank employees and ensure the user nothing's wrong. The bad actors can then extract additional sensitive details about any aspect of the victim's live by simply asking, under the guise of trying to help.

Staying safe from FakeCall and other dangerous hacks

Source: Android Police

The attack also engages in smishing (SMS phishing), quishing (QR code phishing), and email-based mobile phishing, according to security research firm Zimperium. A major rule in protecting yourself is to never respond to messages from financial and other sensitive institutions outside their dedicated avenues. In other words, don't click links in SMS or messaging app alerts.

Instead, if you receive unexpected communication claiming to be from, for example, a bank, navigate to the institution's secure portal (either its website or app) and log in of your own accord, making sure you're accessing the actual portal and not a spoofed imitation.

Side-loading apps also remains an issue, as always, although hackers understand that consumers are getting wise to its dangers. Using a powerful ad blocker and modern web features like HTTPS routing, plus general due diligence, makes a world of difference in keeping your identity and money from being stolen. You can find extensive details regarding FakeCall at Zimperium's report, which also links to a Github page with Indicators of Compromise that expose infected devices.

Best Android VPN in 2024

Give your Android an upgrade with a VPN app