Understanding FakeCall: Mobile Threats from Mishing Malware
Just a SOC Analyst ^^
The zLabs security research team has been tracking the development of a new variant of the FakeCall malware. This is a form of Vishing (voice phishing), where attackers use fake calls or voice messages to trick victims into providing sensitive information such as login credentials, credit card numbers, or bank account details.
Mishing techniques in FakeCall
Mishing is a term that encompasses phishing techniques targeting mobile devices, exploiting features like calls, messaging, and cameras. FakeCall includes the following mishing techniques:
Vishing (voice phishing): Attackers use fake calls to trick victims into revealing sensitive information or performing unusual actions.
Smishing (SMS phishing): Attackers send fraudulent SMS messages to lure victims into clicking malicious links or sharing sensitive information.
Quishing (QR code phishing): Exploiting malicious QR codes for phishing attacks.
Email-based mobile phishing: Attackers craft specially designed emails to execute phishing when accessed through mobile email apps.
Notably, FakeCall has a highly sophisticated Vishing attack mechanism, using malware to almost completely control the mobile device, including intercepting incoming and outgoing calls. This results in victims being redirected to malicious phone numbers controlled by attackers while the phone interface still displays the normal call number.
How FakeCall works
The attack begins when the victim downloads an APK file onto an Android device. This file acts as a dropper, with its main task being to install malicious payloads (FakeCall) onto the victim's device.
The FakeCall malware is designed to communicate with a Command and Control (C2) server, allowing it to receive commands to perform various actions to deceive users.
Figure 1. FakeCall’s attack chain
When launched, the application will prompt the user to set it as the default call handler. Once set as the default call handler, the application can manage all incoming and outgoing calls. Combined with OutgoingCallReceiver, the application captures the intent android.intent.action.NEW_OUTGOING_CALL and extracts the phone number using the getResultData() function. The application then displays a fake interface of the original com.android.dialer app, but with integrated malicious functions.
Figure 2: FakeCall's fake interface on the victim's device
Features of the New FakeCall Variant
Bluetooth Receiver and Screen Receiver
The new variant of FakeCall adds features like Bluetooth Receiver (monitoring Bluetooth status) and Screen Receiver (monitoring screen on/off status). Although there is no evidence of malicious behavior from these features yet, they may serve as new functions in future versions.
Accessibility Service
Another prominent feature is the Accessibility Service, which allows the malware to control the user interface and record screen events. Typical features include:
Monitoring Dialer Activity: Monitoring dialing activity, allowing the malware to detect when the user makes a call.
Automatic Permission Granting: Automatically granting permissions without user consent.
Remote Control: Remotely controlling the entire device interface, allowing attackers to simulate user interactions.
Phone Listener Service
This feature acts as an intermediary communication channel between the malware and the Command and Control (C2) server, allowing attackers to issue commands and perform actions on the infected device. Some commands are listed below:
| Command | Description |
| Connected | Send device information to the C&C server |
| Load settings | Query the C&C, send the device's IMEI to get the pre-configured settings from the attacker for this device |
| Send SMS | Send an SMS to the phone number received from the C&C |
| Delete SMS | Check if it has OP_READ_SMS permission and delete an SMS |
| Upload Contacts | Send a JSON file containing all phone numbers in the victim's contact list to the C&C server |
| Upload CallLogs | Send a list of incoming and outgoing calls from the device to the C&C server |
| Upload SMS | Upload SMS messages that match the filter received from the C&C server |
| Delete App | Delete a specific application from the device |
| Upload Location | Send the device's location to the C&C server |
| Start Record | Used to start recording for a specific period and send the recording to the C&C server |
| End Call | End a call on the victim's device |
| Upload AppInfo | Send a list of all installed applications on the victim's device to the C&C server |
| Live ON | Open a live stream from the victim's camera to the C&C server |
| Live Switch | Switch between the front and rear cameras |
| Live OFF | Close the live stream from the victim's camera |
| Add Contact | Add a new contact to the device with data specified from the C&C server |
| Delete Contact | Delete a contact from the device |
| Delete CallLog | Delete a specific call history entry by its ID |
| Take Pictures | Take a picture from the camera and send it to the C&C server |
Furthermore, this new variant also has more advanced commands to serve the purpose of controlling and interacting with the victim's device:
| Command | Description |
| turnoff_bluetooth | Turn off Bluetooth |
| get_thumbnail_list | Retrieve a list of thumbnails from the DCIM folder of external storage and send them to the C&C server |
| upload_thumbnail_list | Compress thumbnails into .jpg and upload to the C&C server |
| Upload_full_image | Compress and send a specific image to the C&C server |
| Delete_image | Delete a specific image as specified by the C&C server |
| Remote_homekey | Use accessibility services to simulate pressing the home button |
| Remote_wakeup | Command will unlock the device screen and disable the auto-lock function |
| Remote_click | Use accessibility features to simulate a tap on the device at coordinates specified by the C&C server |
| Request_phoneManager | Check which app is set as the default dialer manager |
| Request_phone_call | Set the malware as the default dialer manager |
| Remote_start | Initiate a video stream recording the device screen |
| Remote_stop | Stop the video stream recording the device screen |
| Remote_get_image | Capture a screenshot of the victim's device |
Impact Level
The main function of this malware is to monitor outgoing calls and transmit this information to an external Command and Control (C2) server. However, its impact is quite significant:
Identity Fraud: By tricking users into setting it as the default call handler, the application can manipulate dialing by replacing legitimate numbers with fake ones through the setResultData() method, deceiving users into making fraudulent calls.
Hijack Calls: The malware can intercept and control incoming and outgoing calls, even creating fake calls. Users may not be aware of this until they remove the application or restart the device.
An example attack scenario is:
When the victim attempts to contact their financial institution, the malware redirects this call to a fake number controlled by the attacker.
This malicious application deceives users by displaying a fake call interface identical to the Android call interface, showing the victim the real bank's phone number.
The victim will not be aware of this deception because the attacker also mimics behaviors similar to a real bank to trick the victim.
Finally, the attacker tricks the victim into revealing sensitive information and uses it to gain unauthorized access to the victim's financial accounts.
Recommendations
FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this malware:
Educate and raise user awareness: Enhance awareness of Vishing, Smishing, and Quishing threats.
Do not download applications from unknown sources: Recommend users only install applications from Google Play or trusted sources.
Be cautious with app permissions: Before granting permissions to an app, users should check if the request is reasonable for the app's functionality.
Use mobile security software: Install mobile security applications with anti-malware features.
Regularly update software and operating systems: Google and phone manufacturers regularly release security patches. Updating devices helps users avoid security vulnerabilities that malware can exploit.
Limit app permissions: Use features to restrict access permissions as needed, allowing users to grant permissions only when the app truly needs them and suspend them when not necessary.
Use multi-factor authentication (MFA): Apply multi-factor authentication for bank accounts and important accounts.
Monitor new malware variants: Use Threat Intelligence services to receive the latest notifications about malware and malicious campaigns.
IOCs related to FakeCall malware
Hashes
| SHA256 | Type |
| 473afda00aaf2bbff5d7c9aaa5933ba5f201b469b8546932c60119b1cf40471b | DEX |
| ce154ff877691c22380cc0e67979f8d9f3ab59986b66c7b03bdab36805cfef8e | DEX |
| 71073653f9992633dfbb38550cd196a7f201a8da6bea6ef88173ee2817ba023e | APK |
| fbdce3dd097f4a01814a14fa0e37c0e9a7618c0801adffb7c4dbd2e6927c220f | APK |
| 543734a2bb06d0433283a3b49d48f38b7ed500af82b47209a6087090bf1796cc | APK |
| fabdf6f305ed33293ffaac8651657426a6fa4a5bba79d95bf6b3ff481e9e6400 | APK |
| 099fce4dd0f15f591f59d9e39d68c669c7ec4e421c113d86605626318e4751b5 | APK |
| f886026ae6b194440eb135329bc9c6b56218560303207bd3ca45134cc6e66eeb | APK |
| d1b6ba52a08cc1eb508cb4abd236a27f5fa4d2299718485969b179cd70ffc072 | APK |
| c1d412b16811f0698dec4276f9ce6f92774e0dd8eb22ffcd386b0341312ef8a5 | APK |
| 2629eaf1a4477638d44797d3eab9bba1b40aeb3dfd46462813923a3ca149ff28 | APK |
| baad3941f6e291aa8288ceb9f72c06c3d3fd802e89865777832f20bd5127e4fd | APK |
| 2bb50b25ecf6263514bf1922967cb93e4768f96485ee3d9f9bb6417c950cc1c7 | APK |
| 9d39ace2806389638878646a90af23c716ad9f2c6d142f91f321b2324cbc2e6e | APK |
| 5daac96d677763c6e4b802501d56251960cc38f2e74fe81e8cf921672aa57c3b | APK |
Package name
| Value |
| com.qaz123789.serviceone |
| com.sbbqcfnvd.skgkkvba |
| com.securegroup.assistant |
| com.seplatmsm.skfplzbh |
| eugmx.xjrhry.eroreqxo |
| gqcvctl.msthh.swxgkyv |
| ouyudz.wqrecg.blxal |
| plnfexcq.fehlwuggm.kyxvb |
| xkeqoi.iochvm.vmyab |
IPs
| Value |
| 47.242.149.4 |
| 47.242.20.245 |
| 47.242.38.176 |
| 47.245.63.185 |
| 47.91.14.5 |
| 8.209.241.108 |
| 8.209.250.15 |
| 8.210.198.162 |
| 8.218.68.96 |
Domains
| Value |
| allcallpush01[.]com |
| allcallpush02[.]com |
| allcallpush09[.]com |
| allcallpush12[.]com |
| allcallpush15[.]com |
| chaowen000[.]com |
| chaowen006[.]com |
| chaowen105[.]com |
| ending052[.]com |
| tewen006[.]com |
| tewen007[.]com |
| vipyaooba[.]com |
| wending015[.]com |
