New “Scary” FakeCall Malware Captures Photos and OTPs on Android

A new, more sophisticated variant of the FakeCall malware is targeting Android devices. Learn about the advanced features that make this malware a serious threat, including screen capturing and remote-control capabilities.

Cybersecurity researchers at Zimperium’s zLabs have identified a “Scary” new variant of the FakeCall malware. This malware tricks victims into calling fraudulent phone numbers, leading to identity theft and financial loss. FakeCall is a vishing (voice phishing) malware which, once installed, can take almost complete control of a targeted Android phone.

The latest variant exhibits several new functionalities including the ability to identify, compress, and upload image thumbnails, selectively upload specific images, remotely control the screen, simulate user actions, capture and transmit live video feeds, and remotely unlock the device. These features can capture sensitive documents or personal photos.

The FakeCall malware typically infiltrates a device through a malicious app downloaded from a compromised website or a phishing email. The app requests permission to become the default call handler. If granted, the malware gains extensive privileges.

Attack flow (Zimperium)

According to Zimperium’s blog post shared with Hackread.com ahead of publishing on Wednesday, attackers are using a service called “The Phone Listener Service” in their attack. In fact, this service is a critical component of the malware, enabling it to manipulate the device’s calling capabilities allowing it to intercept and control all incoming and outgoing and grab sensitive information, such as one-time passwords (OTP) or account verification codes.

In addition, the malware can manipulate the device’s display to show fake call interfaces, tricking victims into providing sensitive information. Additionally, it can manipulate call logs to hide its malicious activity and control the duration of calls. These capabilities allow attackers to deceive victims into revealing sensitive information or transferring funds.

Screenshot of the actual fake call interface (Zimperium)

The malware also exploits the Android Accessibility Service to capture screen content and manipulate the device’s display to create a deceptive user interface while mimicking the legitimate phone app. This trick allows attackers to steal sensitive information, conduct surveillance, and even remotely control the device.

It monitors events from the stock dialer app and detects permission prompts from the system permission manager and system UI. Upon detecting specific events, it can grant permissions for the malware, bypassing user consent. The malware allows remote attackers to control the victim’s device UI, allowing them to simulate user interactions and manipulate the device with precision.

To protect against such malware, always download apps from trusted sources like Google Play Store, be cautious about permission requests, and use mobile security software with on-device detection capabilities.

1. Unicode QR Code Phishing Scam Bypasses Traditional Security
2. Malware Attack Imitates VPN, Security Apps on Android Phones
3. Antidot Android Malware Poses as Google Update to Steal Funds
4. QR Code Scam: Fake Voicemails Hits Users, 1000 Attacks in 14 Days
5. Advanced Vishing Attack Campaign “LetsCall” Targets Android Users