FakeCalls: the Spam Calls that Really Work [CPRadio]

Produced by PI Media. Hi, I'm rand Levy. Welcome to CEP Radio. Have you ever received a phone call from a robot that was just such an obvious scam? Hello? Owner of household? You have been approved for a low interest to mortgage or something like that. It's almost offensive. If you're gonna try to trick me, at least put in a little effort,

you know. Maybe it's because in America or Europe or wherever you live, there are so many people to scam, so many numbers to autodial, that criminals don't need to be all of that talented to pick up a few gullible stragglers. Or maybe it's the same logic behind Nigerian Prince emails. Years ago, a Microsoft researcher wrote how sounding like a scammer quote is an advantage to the attacker, not a disadvantage. Since his attack has a low density of

victims, the Nigerian scammer has an overriding need to reduce false positives. By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self select and tilts the true to false positive ratio in his favor. End quote. But for all the stupid spam out there, there exists a small percentage which is legitimately worrying for even rational people. You might have encountered it yourself, especially if you live in a place like South

Korea. According to a report published by the Korean government, scam calls, or what we might refer to as voice fishing compromise nearly two hundred Korean citizens every day, around one hundred and seventy thousand people in our between two sixteen and twenty twenty, with average financial losses around eight thousand, five hundred dollars worth of Korean one. We're talking about a total of around a billion US

dollars racked in by scammers in just half a decade. If it's that successful in just one country, surely they're doing something right and there's more substance to these attacks than what you might be used to. This episode is about one of those campaigns affecting everyday Koreans right now, called fake called, and what it might have to show us about cybersecurity in our part of the world as well to help us. Is Raman Ladutzka. I'm a part of Checkpoint Research

team and I'm involved into different tasks. Mainly its smallware research, but from time to time it may be other investigations. And right now we will speak about the latest research conducted by Bogdan and me Old Faith Call and Bodan Melnikov. Okay, so I'm Bogdan, I'm working at the checkpoint as Malory Sacher, I'm trying to save the world by analyzing the Municia samples, whereas application try and extract the interesting data from it. And that's pretty much it.

We begin with a regular Korean citizen going about their life when they come across a loan offer online on a website or in their inbox, download this app to take advantage of this offer, and so on. The application looks like well, a legal bunking application. Maybe a loan offer would seem a little fishy, but it's coming from their bank. The funds, the logos, language and everything are all recognizable. At this point, we might consider this

person I'm lucky. In Korea, seven banks manage between two hundred and seventy five and five hundred trillion one and another dozen manage between one hundred and one hundred trillion, and efficient hacker might try to scam customers of the biggest bank or the second biggest to try and have the highest rate of victims possible. But with twenty options available, one person has a pretty good chance of not being included in that bunch. In reality, though it has nothing to do

with luck. The Melor apparators generates a lot of various version of the melbore that has the like interface in popular bands. One trusion with over twenty interfaces a display for everyone, no matter whom you're banking with. It may ask the user what the band uses. Because the Melba actors generates a lot of variants of application to target various banks, and then it just install this application to get the loan. It looks pretty legit for it. You see that

it's from the some specific bank. Remarkably, the app too looks pretty good. So when a victim installs this application on his or her device or she gets an impression that this application is a real banking application and it is able to perform the same operations to get the data they need, the attackers dangle that loan offer the fake loan offers which offer lower interest RAITs in comparison to South Korean banks and financial institutions, and this is the main reason why victim

will accept this offer and hopefully formalware attackers continue this attack chain. So what happens exactly after the victim accepts this fake loan offer may vary from version to version. In general, they're just trying to ask some information like name, contact, where you're working, your salary, require amount, a d number, and then operates with this information all the information you'd expect to have to give in order to receive a loan, a kind of facade of legitimacy when

in the end where the hackers really want our credit card numbers. In some cases the apps outright ask for it. The user has to input these or her credit card details like sensitive data, and this is the whole point of this mimicking. In other cases, to keep up the facade of a legitimate

loan opportunity, there are more steps involved. For example, some pre recorded audio tracks may be launched, and so the victim will get an impression of speaking with an automated machine from the bank, which gives an instruction to left credit card details, to input these details into some form and then send it

to the presumable bank or something like this. People are less receptive to automated calls, as we've already discussed, so for better results, the hackers pick up the phones themselves and then the victim will speak with a real person who will be of course an alway operator. The interesting thing about it is the application helps attacker to fall the user by placing like showing the not the real number, but the number of the number that related to the bank, specific

bank. It's worth remembering throughout the scam just how far the attackers are going to keep up appearances a fake application that looks like the real thing and is fully operational, and this stage phone calls with actual human beings coming from the targeted bank's actual phone number. How do they even do that? It has like a call listener in the application that's analyzed the incoming enough phone number, and if it's interesting to it, like it's their phone number, they can

replace it with the bank number. There are other ways to mask the attackers number as a legitimate one, at least theoretically they may shows they draw the specific images of the stock dialer in some songholgophones and just to full the victim. Also, it may replace the phone call slogs information just to again if you'll use a relopen the call history, you'll see, oh, it was

a real band corporator. Else, it may modify the contacts in your phone book to just again to verify that this was a legal call, and so on. In all, Fake Calls is some of the most multifunctional malware you'll ever see. We haven't even mentioned, for example, its ability to capture live audio and video streams from the device's microphone and either it's front or back

camera streaming that data straight to the attackers see two servers. Perhaps Fake Calls has to be this good to distinguish itself in an already fruitful underground voice fishing industry. So this market is very profitable for the attacks, and this team is very effective. So fake Calls just takes the best of this world and tries to reimplement what was already established some time ago in South Korea and the nor Melors Android mother that are the same. Okay, So this is the

first kind of attack that we've were aware of in the cybersecurity space. Like it because interesting of itself. Yeah, that's why the fake course is pretty interesting internalized because there are a lot of various bankers that are able to steal the data, send text messages from the device redentification, but like playing some voices for the user stream your camera to their SARO. It's pretty unique technique. It wasn't used before. Researchers at Kaspersky first published details of the Fake

Carl's malware campaign about a year ago. In the time since, the attackers have been constantly improving upon their capabilities. The militias actors generates a lot of application every day and according to the code, they always evolved. They started from the story and set seeing see for example and a resource file. Then they decided to place into the code and encrypted defis. Then the key was

located in the resources, then in the code. Then they decided to go to the droppers, so they started from the using the GitHub as the such mirror web based to reach to the Google Drive. So they're always trying to improve the mailer and generate more samples. More samples means that the trusion can continue to stay under the radar. Once anti virus programs pick up on their

scent, they're already wearing a new perfume. In fact, the fake Calls hackers have implemented a new suite of mechanisms designed to evade detection by the victim by any anti virus software they may have running and by security researchers themselves. First of all, they are trying to add the antiiors and techniques that will

break the logical virus engines that will fail under application analysis. The second thing that they crowd the apparent application that has almost no permissions and create the real malicious application the sets folder. So if the some antivirus will analyze the application, he'll see that there is no almost no permission and nothing will worry about.

And finally, when the user will style this payload that contains all the malicious functionality, it will start into the collecting the data from the user device and it will be too late to block like to detect this measure before the installation. Yeah, but so basically, if the user may try to check

the application on some sites, it will see that application is legit. But if you don't have any like antivirus and start on their device, it will be not able to understand that the some an other application inside this application that we've been stalled despite a year in the wild, and who knows how many victims compromised. So many questions about fake calls still remain unanswered. We suppose that there is only one operator behind this malware. It's not widely spread,

it's not available for rent or something like this. So this is the malware that is used to buy them all ware operators for themselves. But we cannot really say who is behind it. It may be governmental attack from the other country. It may be just a private attempt to gather as much funny as possible. And in order to say this, we have to cooperate with various security institutions, maybe even legal enforcement power to investigate further, because according to

all sources, we're not able to say with more precision. As long as the attackers keep evading governments and cyber researchers, and as long as these attacks remain as effective as they are, more hackers will likely adopt these same tactics, and the problem will grow and spread, likely to a country near you. As we see, the smarket is still profitable, the malware is still lurking there. The new versions of fay Call's malware still appear, and so

the text continue be aware the next time you pick up the phone. That's it for this episode. Thank you for listening. For past episodes of the podcast, visit Checkpoint Research blog at research dot checkpoint dot com, and you can follow Checkpoint Research on Twitter or follow me at rand lev at Ri n l e v I CP Medio is produced by PI Media, written by eMate Neilson, produced by Hila Shmish, and edited and narrated by Rand Levy. See you next episode, Bye bye,