Security researchers have discovered a new variant of the Fakebank malware. This new strain can now intercept a user's calls to the bank, redirecting them to the fraudsters number, and mask calls from scammers to calls from the bank.
According to a blog post by researchers at Symantec, 22 applications infected with the new version of Fakebank were discovered. These were distributed through alternative application stores, as well as through social networks, mainly in South Korea.
Earlier versions of the malware were able to intercept bank SMS, record customer calls to the bank, and also display fake login pages to Internet banking systems. The new variant can now also intercept outgoing and incoming calls.
When installed, Fakebank sends data to the command and control server about the smartphone and personal information about the user. After that, the program receives a configuration file containing phone numbers of the bank and scammers - when the user tries to call the bank, they are redirected to the number of scammers spreading the virus.
The malware also passes four bits of data to crooks, including the legitimate bank's phone number that will be replaced when the user dials it, the number of a scammer, ready to impersonate a bank agent. This number will actually be dialled when the user tries to call the bank, the number of a scammer that will call the victim. When this number calls the phone, the fake caller ID overlay will appear, and the legitimate bank number that should be used to overlay the scammer's incoming/outgoing caller ID.
Researchers said that the APIs and associated permission used to carry out this deception (android.permission.SYSTEM_ALERT_WINDOW) have evolved across Android versions. This malware optimises its version targets to avoid requesting permissions from the user.
IT seems that only users with phones running Android 8 are immune to the malware as “overlaying a system window from an app is not allowed, and so the malware can't carry out its deception.”
“In addition to tricking users into conversations with scammers, this malicious app sends call events to the C&C server. It also has a number of layouts customised to popular phone layouts in Korea,” said researchers.
Researchers recommended that users keep software up to date, refrain from downloading apps from unfamiliar sites and only install apps from trusted sources, and pay close attention to the permissions requested by apps. Researchers also urged users to make frequent backups of important data.
The first encounter with Fakebank malware was earlier this year in January. As reported by SC Media, the malware was spotted by researchers at Trend Micro and targeted banking customers in Russia. Among FakeBank's targets are customers of Russian financial institutions Sberbank, Leto Bank, and VTB24 Bank.