The banking Trojan, called Fakecalls, mimics the telephone customer support of popular South Korean banks. In addition, unlike well-known banking Trojans, it can sneak in calls to physical banks through its own connections. For example, cyber criminals try to seize victims’ financial data or other confidential information by impersonating bank employees.

Kaspersky researchers discovered the Fakecalls Banking Trojan in January 2021. Investigators found that when a customer called the bank’s helpline, the Trojan opened its own fake spoof call instead of the bank’s original call. There are two possible scenarios that occur after the call is intercepted. In the first, Fakecalls puts the victim in direct contact with cyber criminals posing as representatives of the bank. In the alternate scenario, the Trojan mimics a standard bank greeting and plays pre-recorded audio that resembles a standard speech using automated voicemail.

The Trojan horse also occasionally adds small Korean audio tracks. For example: “Hello, thank you for calling our bank. Our call center is currently receiving an unusually high number of calls. We will send an advisor to you as soon as possible”. The main purpose of such searches is to leak as much financial information of their victims as possible, including bank account information.

However, the cyber criminals who used this trojan did not think that some of their potential victims would use different interface languages, such as English instead of Korean. Only the Korean version of the fake calls screen is available. This means that some users using the English interface language suspect fraud and expose the threat.

Fakecalls application, which looks like a real banking application, when downloaded, asks for various permissions such as access to contacts, microphone, camera, geolocation and call management. With these permissions, the Trojan can drop incoming calls and delete them from the device history, for example when they try to reach the real bank customer. The Trojan not only monitors incoming calls, but also fakes outgoing calls. If the cyber criminals want to communicate with the victim, the Trojan displays its own invocation screen on the system. As a result, the user does not see the real number used by the cyber criminals, but the phone number of the bank’s support service represented by the Trojan horse.

While the scammers try to convince the victim that the app is real, all the fake calls imitate the mobile apps of well-known South Korean banks. It adds the real bank logos and displays the real bank support numbers as shown on the homepage of their official website.

Kaspersky Security researcher Igor Golovin say: “Bank customers are constantly instructed to be wary of phone calls from scammers. However, they do not foresee any danger when trying to reach the bank’s customer support directly. In general, we trust the bank employees, if there is a situation, we call them for help. That’s why we give them, and thus their followers, all the information they want. The cyber criminals behind the fake calls have combined two dangerous technologies: banking Trojans and social engineering. Because

victims are more likely to lose money and personal data. When downloading a new mobile banking application, keep in mind what permissions it asks for. If the app is suspiciously trying to gain excessive access to device controls, including call access, then the app is likely a banking Trojan

Source: (BHA) – Beyaz News Agency