Fakecalls

Fakecalls is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.^[1]

ID: S1080

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Contributors: Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India

Version: 1.0

Created: 21 July 2023

Last Modified: 11 October 2023

Techniques Used

Domain	ID		Name	Use
Mobile	T1429		Audio Capture	Fakecalls can turn on a device’s microphone to capture audio.^[1]
Mobile	T1616		Call Control	Fakecalls can intercept and imitate phone conversations by breaking the connection and displaying a fake call screen. It can also make outgoing calls and spoof incoming calls.^[1]
Mobile	T1533		Data from Local System	Fakecalls can access and exfiltrate files, such as photos or video.^[1]
Mobile	T1646		Exfiltration Over C2 Channel	Fakecalls can send exfiltrated data back to the C2 server.^[1]
Mobile	T1630	.002	Indicator Removal on Host: File Deletion	Fakecalls can manipulate a device’s call log, including deleting incoming calls.^[1]
Mobile	T1430		Location Tracking	Fakecalls can access a device’s location.^[1]
Mobile	T1655	.001	Masquerading: Match Legitimate Name or Location	Fakecalls has masqueraded as popular Korean banking apps.^[1]
Mobile	T1636	.002	Protected User Data: Call Log	Fakecalls can access the device’s call log.^[1]
		.003	Protected User Data: Contact List	Fakecalls can copy and exfiltrate a device’s contact list.^[1]
		.004	Protected User Data: SMS Messages	Fakecalls can access text message history.^[1]
Mobile	T1512		Video Capture	Fakecalls can request camera permissions.^[1]

References

Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.

Fakecalls

Mobile Layer

Techniques Used

References