Latest PhoneyCall Malware Variation Seizes Control of Android Gadgets for Deceptive Banking Calls
Cybersecurity analysts have come across a fresh iteration of a well-known Android malware lineage known as PhoneyCall that uses voice phishing (also called vishing) strategies to deceive users into surrendering their personal data.
“PhoneyCall represents an extremely intricate Vishing assault which exploits malware to acquire nearly full command of the mobile device, including monitoring incoming and outgoing calls,” remarked Zimperium analyst Fernando Ortega in a recent publication.
“Victims are fooled into dialing counterfeit phone numbers managed by the attacker and emulating the normal user interaction on the device.”
PhoneyCall, also recognized as PhoneyCalls and ConnectCall, has been the center of multiple investigations by Kaspersky, Check Point, and ThreatFabric since its inception in April 2022. Prior attack surges have predominantly targeted smartphone users in South Korea.
The titles of the harmful package names, i.e., delivery apps, carrying the malware are itemized below –
- com.qaz123789.serviceone
- com.sbbqcfnvd.skgkkvba
- com.securegroup.assistant
- com.seplatmsm.skfplzbh
- eugmx.xjrhry.eroreqxo
- gqcvctl.msthh.swxgkyv
- ouyudz.wqrecg.blxal
- plnfexcq.fehlwuggm.kyxvb
- xkeqoi.iochvm.vmyab
Similar to other Android banking malware clans, which are notorious for exploiting accessibility services APIs to commandeer the devices and execute malevolent deeds, PhoneyCall employs this to grab data displayed on the screen and confer itself added permissions as necessary.
Some of the other intelligence capabilities encompass seizing a wide variety of data like SMS messages, contact lists, locations, and installed applications, snapping pictures, recording live streams from both the rear- and front-facing cameras, adding and deleting contacts, snagging audio snippets, uploading images, and imitating a video stream of all the operations on the device utilizing the MediaProjection API.
The newer versions are also engineered to supervise Bluetooth condition and the gadget screen status. Nonetheless, what heightens the danger of the malware is directing the user to appoint the application as the default dialer, thus empowering it to track all incoming and outgoing calls.
This not simply permits PhoneyCall to intercept and seize calls but also empowers it to alter a dialed number, such as calls to a bank, to a deceptive number under their sway, and cajole the victims into undertaking unintended deeds.
In contrast, earlier variations of PhoneyCall were observed to urge users to call the bank from within the deceitful application simulating various financial agencies under the facade of a loan proposition with a reduced interest rate.
“When the compromised individual aims to contact their financial institution, the malware reroutes the call to a deceitful number controlled by the attacker,” Ortega commented.
“The malevolent application will deceive the user, flaunting a convincing fake UI that seems to be the genuine Android call interface exhibiting the actual bank’s phone number. The victim will remain unaware of the manipulation, as the malware’s bogus UI will mirror the legitimate banking experience, enabling the attacker to extract sensitive details or gain unauthorized access to the victim’s financial accounts.”
The arrival of innovative, sophisticated mishing (venerated as mobile phishing) tactics underlines an opposing reply to enhanced security defenses and the widespread utilization of caller ID apps, which can label dubious numbers and notify users of potential spam.
Lately, Google has also been testing a security project that proactively blocks the sideloading of conceivably unsafe Android applications, encompassing those that appeal for accessibility services, in Singapore, Thailand, Brazil, and India.
About Author
