Key Takeaways
- FakeCall malware campaign resurfaces with enhanced vishing tactics, posing as bank employees.
- Attack employs various phishing techniques like smishing and quishing, redirecting calls to a fake call center run by hackers.
- Protect yourself by avoiding links in suspicious messages, using secure portals, and being cautious of side-loading apps.
A particularly malignant malware campaign known to researchers since at least 2022 has reared its head again, this time with troublesome new techniques and capabilities. FakeCall, first identified as Letscall, leverages sophisticated exploits to jeopardize security once it takes hold of a device, and now utilizes vishing, or voice phishing, to gather victims’ sensitive information (via DarkReading). The hackers go so far as to pose as bank employees after rerouting users’ phone calls to its own call center, instead of the financial insitution they were meant for.
Vishing, smishing, and quishing: Fraud in the 2020s
As if SMS phishing wasn’t bad enough
While Google has taken measures to reduce the potential harm of side-loading by making it more difficult, FakeCall attempts to sidestep those protections by emulating the Play Store and tricking users into downloading malware-infected apps. Once compromised, a device is open to a vast range of hacks, essentially giving the perpetrators full access to pretty much every aspect of the phone. That includes capturing and uploading images, recording audio and video, redirecting outgoing calls, and much more.
Related
Android security patches don’t matter as much as you think
You’re not that screwed when they stop
FakeCall has used similar tactics over the two years it’s been tracked. After installing the hacked software, a device can be used by hackers to engage in fraud such as requesting a loan on the victim’s behalf. If and when the user notices the activity and calls their bank, the malware redirects the call to a dedicated call center, where criminals act as bank employees and ensure the user nothing’s wrong. The bad actors can then extract additional sensitive details about any aspect of the victim’s live by simply asking, under the guise of trying to help.
Staying safe from FakeCall and other dangerous hacks
Source: Android Police
The attack also engages in smishing (SMS phishing), quishing (QR code phishing), and email-based mobile phishing, according to security research firm Zimperium. A major rule in protecting yourself is to never respond to messages from financial and other sensitive institutions outside their dedicated avenues. In other words, don’t click links in SMS or messaging app alerts.
Instead, if you receive unexpected communication claiming to be from, for example, a bank, navigate to the institution’s secure portal (either its website or app) and log in of your own accord, making sure you’re accessing the actual portal and not a spoofed imitation.
Side-loading apps also remains an issue, as always, although hackers understand that consumers are getting wise to its dangers. Using a powerful ad blocker and modern web features like HTTPS routing, plus general due diligence, makes a world of difference in keeping your identity and money from being stolen. You can find extensive details regarding FakeCall at Zimperium’s report, which also links to a Github page with Indicators of Compromise that expose infected devices.
UPDATE: 2024/11/01 20:38 EST BY CHRIS THOMAS
Google reaffirms the Play Store’s safety
In light of FakeCall’s resurgence, Google took an in-depth look at the apps officially offered by the Play Store. A representative reached out following this piece’s publication and had this to say:
“Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.” — A Google spokesperson
Related
Best Android VPN in 2024
Give your Android an upgrade with a VPN app