Careful! Kaspersky Researcher Finds Fakecalls Trojan That Impersonates Phone Conversations With Bank Employees

JAKARTA - Kaspersky researchers discovered banking Trojan Fakecalls in January 2021. During their investigation, they found that when a victim calls a bank hotline, the Trojan opens its own fake screen call in lieu of the bank's real call.

The banking trojan dubbed 'Fakecalls' disguises itself as a banking app and mimics customer support calls from South Korea's most popular banks.

There are two possible scenarios that unfold after the calls are tapped. First, Fakecalls connects victims directly to cybercriminals who present themselves as bank customer support. The second is an alternative scenario, where the Trojan plays pre-recorded audio imitating standard greetings from a bank and mimicking standard conversations using automated voicemail.

From time to time, the Trojan inserts small audio snippets in Korean. For example, “Hello. Thank you for calling our bank. Our call center is currently receiving calls at a very high volume. Our consultants will get back to you as soon as possible.”

It allows cybercriminals to trick their victims that the calls are real. The main purpose of the call is to persuade the victim to provide as much highly confidential information as possible, including bank account details.

According to Kaspersky's report, cybercriminals who use this Trojan do not consider that some of their potential victims may use a different interface language, for example, English instead of Korean.

The Fakecall screen only has a Korean version, which means some English-speaking users will smell something wrong and be able to uncover this threat. When downloaded, the Fakecall app, masquerading as a real banking app, requests various permissions, such as access to contacts, microphone, camera, geolocation, and call handling.

Fakecalls Trojan can not only control incoming calls but can also fake outgoing calls. If the cybercriminal wants to contact the victim, the Trojan displays its own call screen on top of the system screen. As a result, the user does not see the real number used by the perpetrator, but the telephone number of the bank support service displayed by the Trojan.

When cybercriminals try to convince victims that the app is genuine, Fakecalls imitates the mobile app of a popular South Korean bank completely. They include the original bank logo and display the actual bank support number as displayed on the main page of their official website.

“Banking clients are always advised to be wary of calls from scammers. However, when contacting the bank's customer support directly, they do not expect any harm. Because fundamentally, we have confidence in bank employees, we call on them for help and, because of that, we are pleased to provide whatever information they ask for even the impersonators,” said Igor Golovin, security researcher at Kaspersky.

The cybercriminals who created Fakecalls have combined two dangerous technologies: banking Trojans and social engineering, making victims more likely to lose money and personal data.

“When downloading a new mobile banking app, consider the permissions requested. If it tries to gain suspicious redundant access to device controls, including call handling access, then it's most likely a banking Trojan."