A sophisticated voice-based phishing malware is targeting Android handsets and bilking private financial data from targets, part of a trend raking in millions of dollars of profits using vishing attack techniques. Unlike typical and simple vishing scams, these attacks hijack handsets, implants pre-recorded voice messages and re-routs calls to scammer call centers.
A recent analysis of the vishing campaign by researchers maps out how the malware works and traces it to a group of malicious Android apps. Once victims are tricked into installing the malware, adversaries are able to launch a series of voice-based phishing scams.
The unknown threat actor responsible for the malware is currently targeting victims in South Korea but the researchers believe the package could be easily adapted to operate in any country, and sold on the dark web as a service.
In a report post last week, researchers at ThreatFabric said they identified the malicious app Letscall during their regular threat-hunting activities. The malware, they said, is particularly effective for harvesting personal information and carrying out financial scams.
Once infected, threat actors can take control of the device’s calling function, allowing them to make spoofed calls pretending to be from a financial institution, or to divert calls to their own call center when the victim tries to phone their bank.
Scam calls are big business
“In case the victim notices some unusual activity, the attacker will call the victim, posing as a member of the Bank security team, and reassure the victim that there is nothing to worry about,” the researchers wrote.
ThreatFabric found audio files embedded in the malware that mimicked the greetings a caller would hear if they phoned particular banks. These audio files would be played as the app diverted a call to the threat actor’s call center when the victim attempted to call their bank.
“A well-prepared operator [at the fake call center] will answer the call in case the victim decides to contact the bank and ask questions related to suspicious activity,” the researchers said.
“With this Modus Operandi, attackers may also ask the victim for additional details that could help them in their criminal activities and complete the fraudulent money transfer.”
Similar malware, also targeting victims in South Korean, was analyzed by Check Point who said voice phishing attacks had a long history in the country. According to a government report, voice phishing scams cost South Koreans approximately $600 million in 2020 and impacted up to 170,000 people between 2016 and 2020.
How phones are infected
The Letscall infection begins when a victim visits a phishing website that imitates a page on the Google Play Store, where clicking on a link downloads the first stage of the malware onto their phone. ThreatFabric said it was unclear how victims were persuaded to visit the phishing site although it was likely malicious SEO techniques, or a spam-based social engineering ruse was used.
Among the mimicked sites the researchers discovered were two for loan comparison aggregator services.
“Each page will trick the victim to type in sensitive information, such as Resident registration number (or ID), phone number, home address, salary size, and employer name. That input data will be automatically sent to the attackers,” the report said.
“The same data is supposed to be typed into the original web page of the loan aggregator. We can say with high confidence that attackers will either use the exfiltrated data to fill a similar form on the legitimate website to request a loan, or it might also be possible that the phishing page is acting as a proxy between the victim and loan aggregator page.”
The second and third stage of the infection involved the installation of a powerful spyware application used to exfiltrate data and enroll the device into a peer-to-peer (P2P) voice over IP communication and messaging service, Zegocloud.
“Such functionality is needed to perform P2P voice/video connection between the call-centre operator and victim, and the same channel is also used for C2 (command-and-control) communication with many different commands,” the researchers said.
The rise of vishing
While Letscall was observed targeting the South Korean market, ThreatFabric’s researchers said there was nothing preventing the threat actors behind the malware from extending its scope into other countries.
“In other words, we are dealing with a ready-to-use framework which could be used by any threat actor, as it contains all instructions and tools on how to operate the affected devices and how to communicate with the victims,” the researchers said.
“It is clear that technical features are as important as social engineering, which is confirmed by the attention the group dedicates to using fake Google Play pages, stolen logos of the existent Korean applications, combined with a new technique with nanoHTTPD to drop the payload,” they wrote.
“Finally, the well-designed infrastructure that we observed during our analysis could potentially be used by phone operators speaking different languages. We predict that such a tool kit could be promoted as MaaS (Malware as a Service) on the Darkweb.”
To avoid infection from Letscall and other vishing malware, phone users should deny accessibility services access to any suspicious applications, the researchers said. “Without this permission, it will be much harder for criminals to act on the device.”
