Highlights:

• CPR alerts on an Android Trojan named “FakeCalls”, a voice phishing malware

• Malware can masquerade incoming calls as coming form known legitimate financial organizations, aiming to gain the victim’s trust and extract personal and financial data

• “FakeCalls” malware targets the South Korean market, faking calls from over 20 leading financial organizations

Background

When malware actors plan entering a business, they can choose markets where their profit is almost guaranteed to be worth the effort – according to past results.

Recently Check Point Research encountered an Android Trojan dubbed FakeCalls, A malware able to masquerade as more than 20 financial applications and imitate phone conversations with bank employees. This kind of attack is called voice phishing (AKA Vishing).

Vishing – a portmanteau of voice and phishing – attacks are performed over the phone, and are considered a type of a social engineering attack, as they use psychology to trick victims into handing over sensitive information or performing some action on the attacker’s behalf.

“FakeCalls” targets the South Korean market and possesses the functionality of a Swiss army knife being able not only to conduct its primary aim but also aims and succeeds to extract private data from the victim.

Vishing attacks have a long history in the South Korean market. According to A report published in the governmental website of South Korea, financial losses due to voice phishing constituted approximately 600 million USD in 2020 with the number of victims getting as high as 170,000 people in the period from 2016 to 2020. Phishing scams in South Korea have caused more than $1.24 billion in damage over the past five years, with less than 30 percent of the stolen money being retrieved.

Voice phishing (AKA Vishing)

The idea behind voice phishing is to trick the victim into thinking that there is a real bank employee on the other side of the call. As the victim thinks that the application in use is an internet-banking application (or payment system application) of a real financial institution, there is no reason to be suspicious of an offer to apply for a loan with a lower interest rate – which is fake, of course. At this step, the malware actors can lay the necessary groundwork to understand how to approach the victim in the best way possible.

At the point where conversation happens, the phone number belonging to the malware operators, unknown for the victim, is replaced by a real bank number. Therefore, the victim is under the impression that the conversation is made with a real bank and its real employee. Once the trust is established, the victim is tricked into “confirming” the credit card details in the hope of qualifying for the (fake) loan.

The list of organizations that were mimicked includes banks, insurance companies, and online shopping services.

This is the principal scheme of the attack:

When victims install the FakeCalls malware, they have no reason to suspect that some hidden “Features” are included in the “trustworthy” internet-banking application from that solid organization.

Evasion techniques previously unknown detected

We discovered more than 2500 samples of the FakeCalls malware different in a combination of mimicked financial organizations and implemented evasion techniques. The malware developers paid special attention to the protection of their malware, implementing several unique evasion techniques that we had not seen in-the-wild before.

In our full research we describe all the encountered techniques, show how to mitigate them, dive into the details of the malware functionality and explain how to stay protected from this and similar threats.

How to Prevent Vishing Attacks

Like other social engineering attacks, user awareness is essential for prevention and protection. Some important points to include in cybersecurity awareness training are:

• Never Give Out Personal Data: Vishing attacks are commonly designed to trick the target into handing over personal information that can be used for fraud or in other attacks. Never provide a password, multi-factor authentication (MFA) number, financial data, or similar information over the phone.
• Always Verify Phone Numbers: Vishers will call while pretending to be from a legitimate organization. Before giving any personal data or doing anything that the attacker says, get the caller’s name and call them back by using the official number from the company website. If the caller tries to talk you out of doing so, it’s probably a scam.
• No-One Wants Gift Cards: Vishers will commonly demand payment for unpaid taxes or other fees in gift cards or prepaid Visa cards. No legitimate organizations will request a gift card or prepaid credit as payment.
• Never Provide Remote Computer Access: Vishers may request remote access to your computer to “remove malware” or fix some other issue. Never provide access to your computer to anyone except verified members of the IT department.
• Report Suspected Incidents: Vishers commonly will try to use the same scam on multiple different targets. Report any suspected vishing attack to IT or the authorities so that they can take action to protect others against it.

Check Point offers a range of solutions that can help organizations to mitigate vishing, phishing, and other related attacks. Check Point’s Harmony Email and Office includes anti-phishing protections and can help detect attempted data exfiltration inspired by a vishing attack.

Check Point’s Harmony Mobile Prevents malware from infiltrating mobile devices by detecting and blocking the download of malicious apps in real-time. Harmony Mobile’s unique network security infrastructure – On-device Network Protection – allows you to stay ahead of emerging threats by extending Check Point’s industry-leading network security technologies to mobile devices.