# FakeCall Malware: An Advanced Trojan for Android That Redirects Bank Calls
## Introduction
In the constantly shifting realm of cybersecurity threats, **FakeCall** has become a notably perilous Android malware. Initially identified in 2022, this Trojan has gained infamy due to its skill in intercepting and rerouting phone calls made by victims to their banking institutions, sending them to numbers controlled by attackers. This article examines the features of FakeCall, its progression, and what it means for Android users, especially those dealing with financial entities.
—
## What is FakeCall?
FakeCall is far from a typical banking Trojan. While numerous malware variations concentrate on acquiring credentials via phishing or keylogging, FakeCall employs a more straightforward and advanced tactic. It reroutes calls directed to authentic bank customer support lines, deceiving victims into believing they are conversing with their bank, when in reality, they are engaging with attackers.
### How Does It Operate?
1. **Installation**: FakeCall usually disguises itself as a genuine application, often presenting itself as a financial or banking utility. It is often distributed via websites that imitate the Google Play Store, deceiving users into downloading it.
2. **Permissions**: During installation, the application requests permission to set itself as the default call handler on the Android device. Once this permission is granted, the malware can intercept and manipulate phone calls.
3. **Call Rerouting**: When a victim tries to contact their bank’s customer support, FakeCall notices the outgoing call and reroutes it to a number controlled by the attacker. To enhance the illusion, the malware can overlay its own interface over the system’s, concealing indications of any wrongdoing.
4. **Simulated Incoming Calls**: FakeCall can also imitate incoming calls from what seems to be a bank employee, further persuading victims that they are dealing with legitimate representatives.
—
## A Strategic Evolution
Since its initial discovery, FakeCall has undergone numerous updates, with newer versions incorporating more advanced functionalities. In October 2024, researchers from **Zimperium**, a mobile security company, revealed **13 new variants** of the malware. These variants highlight that the creators behind FakeCall are consistently enhancing its capabilities, making it increasingly challenging to spot and more threatening to users.
### Key Features of the New Variants
1. **Obfuscation**: The newest versions of FakeCall utilize advanced obfuscation methods, concealing malicious code within a dynamically decrypted and loaded `.dex` file. This makes it tough for conventional malware detection tools to recognize the Trojan.
2. **Native Code Migration**: Certain functionalities of the malware have been transitioned to native code, complicating detection initiatives even more. This strategic evolution indicates that attackers are honing their techniques to bypass security protocols.
3. **Bluetooth and Screen Monitoring**: The latest variants include aspects that track Bluetooth status and screen activities. Although these features do not currently display malicious behavior, they might serve as precursors for future capabilities.
4. **Accessibility Service Exploitation**: FakeCall has now integrated an **Accessibility Service**, granting it substantial control over the user interface. This enables the malware to:
– **Monitor Dialer Activity**: Identify when the user is making calls via applications other than the malware itself.
– **Automatic Permission Granting**: Circumvent user consent by automatically issuing permissions for the malware.
– **Remote Control**: Allow attackers to remotely manipulate the device’s user interface, simulating user interactions such as taps and gestures.
5. **Command and Control (C2) Communication**: The malware communicates with a **C2 server**, enabling attackers to issue commands and perform actions on the infected device. This includes the ability to manipulate the device’s user interface, facilitating the theft of sensitive information.
—
## Targeting and Language Support
At first, FakeCall seemed to focus on users in **South Korea**, with the malware exclusively supporting the Korean language. Nonetheless, recent findings suggest that the Trojan has broadened its language support to encompass **English, Japanese, and Chinese**. Although there is no solid proof that speakers of these languages have been targeted thus far, the expansion implies that the attackers may be gearing up to widen their scope.
—
## Indicators of Compromise (IoCs)
Zimperium has released a compilation of **Indicators of Compromise (IoCs)**, which can assist security experts and users in identifying the presence of FakeCall on their devices. These IoCs encompass file hashes, network indicators, and behavioral patterns linked to the malware. You can access the complete list of IoCs on Zimperium’s [GitHub repository](https://github.com/Zimperium/IOC/tree/master/2024-10-FakeCall).
—
## Protecting Yourself from FakeCall
Considering the sophisticated nature of FakeCall, it is vital for Android users to exercise heightened caution, particularly when engaging with financial applications or services. Here are some actions you can take to safeguard yourself:
1. **
