Hello there gang,
We talked in the past about apps that have taken advantage of the accessibility functions of Android. These accessibility options are used to allow people who are disabled to use the phone and interact with it like a sighted person would.
While this app does the same, it also acts like your regular phone diler. Once you place a call to your bank, the malware goes to work, rerouting the call to the actor whose goal it is to steal your credentials, or worse, your money.
This was first reported in 2022 as a trojan, and can now be seen as the next banking trojan.
Checkpoint then reported in March 2023 that 20 different financial institutions were being rerouted by this malware. It is offering low interest loans, and different mechanisms to evade detection.
This application uses what is known in this industry as vishing, otherwise known as voice phishing. This is how the actors are able to steal banking details if not your money directly.
Here are 7 different bullet points in this article talking about new commands recently spotted in the latest version, which is in active development, according to the article.
- Configure the malware as the default call handler.
- Start live streaming of the device’s screen content.
- Take a screenshot of the device display.
- Unlock the device if it’s locked and temporarily turn off auto-lock.
- Use accessibility services to mimic the press of the home button.
- Delete images specified by the C2 server.
- Access, compress, and upload images and thumbnails from storage, specifically targeting the DCIM folder for photos.
The fact it abuses accessibility tools to mimic the pressing of the home button scares me just a little bit.
I don’t know much about the DCIM folder, but uploading photos of their chosing could be bad.
The fact that the phone can be unlocked at will should be a big concern! Make sure the phone has a password or passphraise. It is not clear how it is unlocking the phone once locked, and it does not make sense to me that it can unlock the phone without knowing the password.
Taking a screenshot of the display could be harmless. Depending when they take that screen shot, it could be a problem, but it is not known just by reading this article that its random.
Streaming the device’s screen can be interesting. This means that it can capture whatever you’re doing, which could in theory be the combination to your phone which then could make sense on how it could unlock your phone as discussed above.
Finally, if I didn’t mention it, the C2 Server can instruct the device to delete photos. It doesn’t say what specific folders and images it could target, so make sure you have a backup of those photos.
I’ve been working with a company on an app, and they want assistance with Android, I’m very particular about my needs where this device, if sent, needs to have everything working so I may perform my duties. The name of the company is not mentioned here, as that is not the point of this post. The developer understands where I’m coming from though, so we’ll see how that goes.
Its too bad that Android has many flavors, as someone else at the same company indicates that the Pixel devices have accessibility tools installed by default. That’s a good thing.
Maybe this company should be seeing this article, and maybe they will, due to the fact they’re a subscriber to this podcast and possibly the blog.
A company, known to me as Zimperium, has also published research. Zimperium has also published indicators of compromise (IOCs) for people to have. Here is that report through GitHub.
These IOCs can change at any time by the threat actor, so be on the lookout.
To read the entire article, it is titled Android malware “FakeCall” now reroutes bank calls to attackers.
Please be as safe as possible and make sure you’re running applications you trust.
Further Reading
- Android Overlay and Accessibility Features Leave Millions at Risk
- Google is finally doing something about all these malicious apps that take advantage of accessibility features?
- Don’t get blinded by Snowblind, Snowblind will blind you and take data
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.