The notorious banking trojan Fakecalls, which has been targeting Android users in South Korea for over a year now, has been subjected to a new tactic to bypass cybersecurity barriers. While in the past it had targeted South Korean organizations via fake apps, this time it used legitimate app signing keys to fool signature-based detection techniques.
Fake apps carrying FakeCalls
According to a report by McAfee, Fakecalls campaign is using keys stolen from a genuine application popular in South Korea.
- The developer is a renowned IT company, dealing with organizations in various sectors, including gaming, advertising, and payments.
- The fake apps abusing this key masquerade as genuine banking apps, and even use the icons stolen from genuine banking apps.
Attack details
To avoid detection, the malware uses a packer to encrypt its source code. The decryption of the source code revealed several capabilities.
- When the malware gets executed, it attempts to install another app by asking for relevant permissions. This application is stored in the asset directory, masquerading as an HTML file introduction[.]html.
- This payload requests the user to provide several additional permissions, including one to access sensitive data on the infection machine.
- It further registers the device for several services, and then establishes a connection with the C2 server to obtain further instructions.
Some links to the past
Researchers noticed that in the current campaign, the URLs linked with Fakecalls were first observed in August 2022.
- Several of those domains are now down, however, one of the phishing sites created then is still operational, masquerading as a banking site. The web page was last updated in October 2022.
- This operational domain is linked with several additional IP addresses that are still under the attacker’s control and used as a C2 administration page to control the infected devices.
Concluding notes
Fakecalls is continuously enhancing its evasion tactics to bypass security systems. Moreover, the use of genuine application keys has further strengthened its application impersonation game as well. To stay protected, experts recommend downloading apps from official and reliable sources only.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_591231098.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_306084527.jpg)
