Your bank is one of the last places left where you can call up the company and expect to get a human being on the other end, even if you have to wait on hold for a while before you get there.
But newly spotted malware on Android phones might make you think twice about making your next bank call. The trojan app can detect calls to specific banks made from personal phones and reroute them to hackers, with the one making the call none the wiser.
The “FakeCall” or “FakeCalls” malware has been active for a little over two years, according to BleepingComputer, but has recently become more complex and harder to spot. While it previously posed as a banking app, newer versions spotted by security firm Zimperium are more insidious. The app gets installed as a side-loaded APK — as is often the case with Android malware — then asks for permission to become the default call handler, essentially replacing your phone’s regular dialer app.
The malware app then runs in the background, patiently waiting for you to call a known bank telephone number. When it detects such activity, it reroutes the call to a hacker (who’s literally on call for this, har har). Then, aided by a spoofed visual element to hide the destination of the real call, the hacker poses as a bank employee to get your real bank info. Once you’ve given up your account number and a few personal details, they can drain your accounts at their leisure.
There are a few other options for obfuscation. The system lets the hacker call you directly and pose as your bank if they’re feeling impatient, or perform a few other tricks via remote control.
It’s an ingenious and complex system, but the core of the scam still relies on you downloading an unverified APK and giving an app permission to replace your phone’s standard dialer. Newer variations of the malware are capable of monitoring Bluetooth connections and using Android’s accessibility tools to spoof user interface elements, too.
Zimperium has spotted this malware “in the wild,” though it hasn’t shown up on any apps on the Google Play Store yet (which does happen, but rarely). About a dozen different APK variations are listed on the GitHub tools for detecting them, some with seemingly random strings of letters, some with innocuous labels like com.securegroup.assistant
. As always, and in common with Windows software, never download Android apps from a source that you don’t trust.