A new version of Fakebank malware can intercept banking-related calls

FakeBank malware can now redirect banking-related phone calls to scammer's line

Security experts discovered a new variant of FakeBank malware^[1] spreading in South Korea. This variant of Android virus^[2] is designed to redirect phone calls to scammers when users try to call their banks. Researchers report that malware was spreading with the help of 22 apps that were available on third-party app stores and social networks.

As many individuals choose to manage their banking via the phone, it became a perfect opportunity for cybercriminals to steal money directly from the bank account. The recent version of FakeBank malware can intercept incoming and outgoing calls. Therefore, when victims think that they are talking with a representative from a bank, they are actually talking with scammers.

Previous versions of malware were detected earlier this year. At the beginning of January, researchers spotted FakeBank entering victims phones as an SMS/MMS management application.^[3] The virus was able to send and read SMS messages, record bank calls, and display fake bank login pages to steal credentials.

Targets of FakeBank malware were primary customers of Russian banks (Sberbank, Leto Bank, VTB24 Bank). However, amongst the victims were Chinese (17%), Ukranian (2%), Romanian (1%), German (1%) and nationals of other countries, as well. The recent version mostly targets Android users in South Korea.

It was also discovered that FakeBank’s C&C domains were mainly located in Warmia-Masuria (Poland) and Russia. The IP address is provided by a company that was previously connected to fraud. Security experts at suggest that the company is Wuxi Yilian LLC.^[4]

The main feature of FakeBank – intercept banking-related phone calls

Malware spreads as fake banking apps via third-party app stores. When a malicious app is installed and launched, malware immediately collects and sends information to the remote Command and Control (C&C) server. Meanwhile, users see a fake screen of their bank.

The C&C server responds with four different numbers that will be used:

1. The real phone number of the bank that will be changed;
2. The phone number that will be used instead of the legit bank number;
3. The number that will be used by scammers to initiate the call to the victim;
4. The real bank number that will be used to hide the real scammer's caller ID.

After malware attack, FakeBank malware shows real bank number of the incoming or outgoing call. However, in reality, users are calling one of the numbers that belong to criminals. For this reason, users cannot suspect that they are actually talking with criminals who want to get access to their bank accounts and steal the money.

Cybercriminals are using advanced techniques to obtain banking details

Security experts concluded that malware is incredibly sophisticated, as it first scans users devices for security software and, once detected, leaves the phone silently. It was noted that whoever created FakeBank malware was excessively familiar with SMS online bank schemes, as all SMS containing vital information are filtered and transmitted to the command-and-control^[5] server.

To prevent its detection and elimination, FakeBank malware does not allow users' opening device settings or the legitimate banking application of the connected bank account. The payload is hidden in a way that does not permit its detection and makes it harder for victims to uninstall the malicious app.

Despite the fact that the recent version of malware mostly spreads in South Korea, Android users are reminded to be careful with app downloads. Security experts highly recommend installing apps from official Google Play store and avoid third-party sources. Additionally, it's important to read app permissions and do not install applications that ask too much access.

Finally, smartphone users should protect their devices with antivirus software and keep it updated.