It's called FakeCalls and it's a banking trojan that combines the typical characteristics of malware with social engineering techniques to circumvent security systems.

This malware is not new but it is an evolved version of a trojan already known by experts, much more adept at hiding from detection systems and more refined in social engineering techniques. It is a system that mimics financial organizations by tricking users into installing malware on their smartphone. Through techniques of various types, phishing or advertising of various types on websites, infected, apparently legitimate apps are installed, proposed by fake websites, perfect copies of the original.

How the attack happens

It appears that once the malware is installed, the attack is initiated with the offer of soft loans, meant to attract victims. When the victim expresses interest in her, the malware initiates a call that simulates the pre-registration made by customer service for obtaining the loan. Obviously the number is masked with the real one and the tones are also particularly realistic. The purpose is to induce the victim to leave bank details which are thus stolen. The same malware can also record audio and video on the victim's device, allowing criminals access to more personal data.

Vishing techniques

This specific type of phishing is more relevant than ever. Vishing is in fact a "voice phishing", i.e. a technique with which phone calls or voice messages are simulated to steal personal or banking data. Taking advantage of social engineering techniques, phone calls leverage feelings and emotions, blurring the ability to judge and misleading the victim. By creating states of alert, fear, haste, the user can be pushed to perform an action that, on reflection, he would not have performed.

The most common methods are the simulation of a compromised current account, inviting over the phone to transfer the money to avoid losses, the proposal of particularly advantageous offers, or tax or social security issues that require credentials.

The pitfall of FakeCalls malware

In addition to the already known behavior, the experts, analyzing the malware, have discovered advanced techniques to avoid being detected by security systems. It should also be noted that machine-learning techniques capable of generating increasingly realistic speeches will make it very difficult to defend against this type of attack. Maintaining high attention and level of awareness remains the only real defense for users.

Left B - Web Idea

newsletter image