A recent analysis by Zimperium has revealed sophisticated evasion techniques utilized by a new variant of the FakeCall Trojan, which complicate the identification of its malicious code. Originally, researchers believed these apps might belong to a previously undiscovered malware family. However, further investigation revealed that the obfuscation involved concealing harmful functionality within a dynamically decrypted and loaded .dex file. This method allowed the malware to evade immediate detection during routine analysis.
In-depth analysis of the .dex file, obtained from the memory of an infected device, uncovered parallels with an earlier malware variant identified by the package name com.secure.assistant, linking it directly to the FakeCall Trojan. This correlation suggests that despite its evolution, the underlying principles of this malware remain consistent with its predecessors.
Many of the newly introduced features of this malware have yet to be fully operational. For example, a Bluetooth receiver component has been integrated, which monitors Bluetooth status and operations without showing immediate signs of malicious intent. This raises questions about whether it functions as a potential placeholder for future developments. Likewise, a screen receiver merely tracks whether the display is on or off, lacking any discernible malicious activities.
One of the more concerning innovations is the implementation of an Accessibility Service, which inherits functionalities from the Android Accessibility framework. This service allows the malware to gain considerable control over the user interface and capture screen information. Static analysis of the decompiled code indicated lifecycle methods executed in native code, which obfuscates the specific malicious intentions behind these functions. However, previous iterations of this malware provide insights into its possible capabilities.
Among these functionalities is the ability to monitor dialer activities, particularly concerning the stock dialer app under the package com.skt.prod.dialer. This suggests that the malware can detect when users initiate calls through applications not affiliated with it. Furthermore, the service appears equipped to automatically grant permissions by recognizing prompts from system managers, thereby circumventing user consent. This sophisticated manipulation could allow the malware to further entrench itself within the compromised system without detection.
Another critical aspect of the FakeCall Trojan’s functionality is its remote access capabilities, which grant attackers complete control over the victim’s device interface. This enables attackers to execute user-like behaviors such as tapping, swiping, and navigating across applications, providing them with powerful access to manipulate devices covertly.
The Kaspersky report from 2022 highlights that earlier iterations of the FakeCall Trojan primarily targeted specific banking institutions in South Korea and were available exclusively in Korean. However, recent findings by ThreatFabric indicate that the Trojan has expanded its linguistic support to English, Japanese, and Chinese, though it remains unclear if there are active efforts to target speakers of these languages directly.
The tactics harnessed by this malware fall within several categories of the MITRE ATT&CK framework, including initial access through deceptive app installations, persistence via the persistent background services, and privilege escalation techniques related to the misuse of accessibility services. These evolving tactics and techniques concerning the FakeCall Trojan underscore the need for heightened vigilance among business owners regarding their cybersecurity measures in the face of increasingly sophisticated threats.
