When a financial services app you are using causes an unexpected incoming call announcing irresistible offers, it is probably a scam

An Android trojan malware dubbed FakeCalls has been used to masquerade as more than 20 financial applications and imitate phone conversations with bank employees in South Korea.

The idea of vishing (phishing via voice-based phone calls) is to trick the victim into thinking that there is a real bank employee on the other side of the call. As the victim thinks that the application in use is an internet-banking application (or payment system application) of a real financial institution, there is no reason to be suspicious of an offer to apply for a loan with a lower interest rate — which is fake, of course.

In the case of the latest vishing campaign, the evasion technique is something that Check Point Research has not encountered before. The firm recently discovered more than 2,500 variants of the FakeCalls malware whose code contains anti-analysis techniques to thwart forensic investigation. In addition, clever mechanisms (using dead drop resolvers) have used to disguise the command-and-control servers used in the scam operation.

The likely explanation for choosing South Korea as the target is that vishing has been highly successful in the country. Previous campaigns had resulted in financial losses of approximately US$600m in 2020, with the number of victims being as high as 170,000 people in the period from 2016 to 2020. Cumulatively, phishing scams in South Korea have caused more than US$1.24bn in damage over the past five years, with less than 30% of the stolen money being tracked down.

Check Point reminds the public to stay vigilant against vishing attacks: Never provide personal data (passwords, one-time passwords, financial data, or similar information) over any incoming unsolicited calls. Even if a caller appears to be legitimate, get the caller’s name and call him/her back by using the official corporate department phone number. If the caller tries to dissuade such a process, then the call is probably a scam. Also, never grant remote access to any computer to any caller pretending to fix software or malware issues.