A phishing campaign has been identified targeting Android users in South Korea. It lures the victims via a fake Google Play Store page, attempting to deliver the Fakecalls Android malware. Over 1,000 samples have been discovered within the past few months.
Experts from Cyble revealed that attackers have created a fake page impersonating Google Play Store that is used to deliver malicious applications loaded with Fakecalls Android malware.
The page, hosted on the URL: hxxp://118.170.57[.]235/, shows an Android application National Police Agency Pol-AntiSpy 3.0, which happens to be the name of the legitimate application developed by the South Korean National Police Agency (NPA).
Attackers even used the same icon and added a hyperlink to the official website to make it look legitimate.
The description of the app claims that the official app from the Cyber Security Bureau of NPA can scan for any spyware app on the user's mobile.
But, in truth, this fake app carries a variant of Fakecalls Android malware to infect users.
About Fakecalls Android malware
Fakecalls, detailed by Kaspersky in April, is known for luring its victims into calling a fake phone number, by pretending to be the bank’s customer care executive.
It is designed to steal sensitive details from victims’ Android devices, including contact details, call logs, SMS, and network operator and device location.
By accessing SMSes, it is capable of bypassing two-factor authentication.
Moreover, based on instructions received from its C&C server, it further records the audio via a microphone and manipulates the call logs to delete its traces.
Such campaigns always have some telltale signs of fraud such as downloading an application from an independent site instead of a reliable marketplace. However, combining several tactics of imitating authentic pages and making personalized calls make the campaign seem realistic to unsuspecting users. To stay protected, experts strongly warn against downloading apps from third-party websites. Also, do review the permissions requested by the app before installing.