Android Trojan FakeCall Redirects Bank Calls to Scammers

By Ava McKinneyOnline Safety

Android Trojan FakeCall Prevents Victims from Reaching Their Bank and Redirects Calls to Scammers

Security experts at Zimperium have discovered an updated version of the FakeCall (also known as FakeCalls) malware. This malicious software intercepts outgoing calls made by users to their banks and redirects them to scammers, preventing victims from reaching legitimate customer support.

FakeCall is a banking trojan designed for voice phishing (vishing). Criminals use it to trick victims with fraudulent calls pretending to be from banks, coercing them into revealing confidential information. In addition to vishing, FakeCall can also intercept audio and video from infected devices, allowing attackers to steal sensitive data without the victim’s knowledge.

The malware was first reported in 2022 by Kaspersky Lab, which noted that the trojan disguised itself as apps from well-known South Korean banks, deceiving victims into believing they were calling their real bank. In 2023, CheckPoint analysts also reported on this threat, stating that FakeCall was impersonating official apps from over 20 financial institutions, offering low-interest loans and improving its ability to evade detection.

How FakeCall Works

According to Zimperium experts, previous versions of FakeCall prompted users to call their bank directly from within the app, masquerading as specific financial institutions. An overlay would display the real bank’s number, but the call would actually be connected to scammers.

In the 13 new samples analyzed by Zimperium, the malware has evolved further: the malicious app now sets itself as the default call handler and asks the user to approve this action during APK installation. This allows the malware to manage both incoming and outgoing calls, acting as the main interface for dialing, connecting, and ending calls. In other words, FakeCall gains the ability to intercept and manipulate all calls.

Fake User Interface

The fake interface closely mimics the real Android call screen, displaying genuine contact information and names, making the scam nearly impossible for victims to detect. As a result, when a user tries to call a financial institution, the trojan silently intercepts the call and redirects it to the scammers’ number.

“The victim won’t suspect anything, as the fake user interface imitates the real bank, allowing the attacker to collect confidential information or gain unauthorized access to the victim’s financial accounts,” the researchers write.

New Features and Capabilities

Although the new FakeCall code is heavily obfuscated, experts have found several improvements and new attack mechanisms, some still under development. For example, FakeCall now includes a Bluetooth listener and device screen state monitoring, though these features currently lack malicious functionality.

The malware also uses the Accessibility Service to gain broader control over the user interface, allowing it to monitor dialer activity, grant itself additional permissions, and simulate user actions such as clicks and gestures.

Additionally, the new service connects to the attackers’ command-and-control server and can receive commands to perform various actions, including determining device location, uninstalling apps, recording audio or video, and editing contacts.

New Commands Supported by FakeCall

  • Start live streaming the device screen
  • Take a screenshot
  • Unlock the device if it’s locked and temporarily disable auto-lock
  • Use Accessibility Service to simulate pressing the “Home” button
  • Delete specific images
  • Access, compress, and upload images and thumbnails from storage (especially from the DCIM folder)

How to Protect Yourself

To protect against such malware attacks, experts strongly recommend avoiding manual installation of apps via APK files. Instead, always install apps from the official Google Play Store.

Leave a Reply