Call Interception & Voice Phishing¶

Intercepting, redirecting, and faking phone calls on Android to conduct voice phishing (vishing) attacks. Unlike traditional phishing that targets text-based credentials, call interception exploits the inherent trust users place in voice communication with their bank. The victim dials their bank's real number, but the malware silently redirects the call to an attacker-controlled line where a human operator or pre-recorded IVR extracts sensitive information.

Requirements

Requirement	Details
Call handler	Default phone handler role (user must approve)
Permissions	`CALL_PHONE`, `READ_PHONE_STATE`, `BIND_ACCESSIBILITY_SERVICE`
Alternative	`CallRedirectionService` role (Android 10+)

Call Redirection Techniques¶

Default Call Handler Exploitation¶

The most powerful technique. When the malware becomes the default call handler, it manages the entire call lifecycle: dialing, connecting, displaying the in-call UI, and ending calls. This gives it complete control over what the user sees and hears.

FakeCall (also tracked as FakeCalls) pioneered this approach. First reported by Kaspersky in April 2022, the malware prompts the user to set it as the default call handler during installation. Once approved:

User dials their bank's real phone number
FakeCall intercepts the outgoing call intent
The real call is cancelled silently
FakeCall displays a fake call UI showing the bank's real number
The call is routed to an attacker-controlled number
A human operator or pre-recorded IVR answers as the bank

The fake call UI mimics the native Android dialer so convincingly that the victim sees their bank's name and number on screen while actually speaking to the attacker. Zimperium's 2024 analysis documented expanded capabilities including accessibility service abuse for automatic permission grants, MediaProjection for screen streaming, and camera/photo capabilities.

CallRedirectionService (Android 10+)¶

Android 10 replaced the deprecated PROCESS_OUTGOING_CALLS broadcast with CallRedirectionService, a dedicated API for legitimate call redirection (e.g., VoIP routing). Malware can register as a call redirection service:

<service android:name=".MaliciousRedirector"
    android:permission="android.permission.BIND_CALL_REDIRECTION_SERVICE">
    <intent-filter>
        <action android:name="android.telecom.CallRedirectionService" />
    </intent-filter>
</service>

The user must approve the app for the call redirection role via RoleManager. Once granted, the service receives onPlaceCall() for every outgoing call and can redirect it to any number via redirectCall().

USSD Code Forwarding¶

Malware with CALL_PHONE permission can silently dial USSD codes to enable unconditional call forwarding at the carrier level:

USSD Code	Function
`21[number]#`	Unconditional forwarding (all calls)
`67[number]#`	Forward when busy
`61[number]#`	Forward when unanswered
`62[number]#`	Forward when unreachable
`##21#`	Deactivate forwarding

This technique works transparently at the network level. The victim's phone never rings; calls go directly to the attacker. No special permissions beyond CALL_PHONE are required because USSD codes are dialed as regular calls.

VoIP-Based Interception¶

Letscall¶

ThreatFabric documented Letscall in July 2023 as a sophisticated three-stage vishing toolkit targeting South Korean users.

Stage	Component	Function
1	Downloader	Prepares device, installs spyware payload
2	Spyware	Establishes VoIP infrastructure using ZEGOCLOUD WebRTC SDK
3	Call companion	Redirects calls to attacker call center, enables P2P voice/video

The VoIP layer uses WebRTC with STUN/TURN servers (including Google's public STUN servers) for NAT traversal. The same P2P channel serves as both the voice call pathway and the C2 communication channel. Evasion included Tencent Legu and Bangcle obfuscation, long ZIP directory names, and manifest corruption.

Fake IVR Systems¶

Pre-recorded Interactive Voice Response systems that mimic a bank's phone menu. When the victim "calls their bank" (actually reaching the attacker), they hear:

Welcome message matching the bank's real greeting
Menu options ("Press 1 for account balance, Press 2 for card services...")
Prompts for card number, PIN, or OTP via keypad
Keypad input captured by the malware or VoIP system

FakeCall maintains recorded IVR audio for multiple Korean financial institutions. The recordings are convincing enough that victims enter their full card details and PINs via the phone keypad.

Call Recording¶

Android Version Restrictions¶

Version	Change	Impact
Pre-Android 9	`MediaRecorder` + `AudioSource.VOICE_CALL` worked freely	Full call recording possible
Android 9	`VOICE_CALL` audio source restricted	Apps must use `VOICE_RECOGNITION` or accessibility workarounds
Android 10	Background microphone access restricted	Foreground service required
Android 11+	Further restrictions on call recording APIs	Third-party call recording effectively blocked for legitimate apps

Malware Workarounds¶

Despite platform restrictions, malware achieves call recording through:

Accessibility + MediaRecorder: The accessibility service detects call state, then a foreground service records via AudioSource.MIC (captures the user's voice and speaker output in speakerphone mode)
MediaProjection screen capture with audio: Captures system audio output including the call (requires one-time user consent for the MediaProjection dialog)
Speaker recording: Forces speakerphone mode via accessibility, then records ambient audio via microphone

SpyNote uses a background service with MediaRecorder set to AudioSource.MIC to record call audio, saving files to external storage. On Android 9+, it uses a foreground service with IMPORTANCE_MIN notification to maintain microphone access.

Call Log Manipulation¶

With READ_CALL_LOG and WRITE_CALL_LOG permissions, malware can:

Read call history to identify banking calls
Delete evidence of redirected or recorded calls
Insert fake call log entries to maintain the illusion of a real bank call

getContentResolver().delete(
    CallLog.Calls.CONTENT_URI,
    CallLog.Calls.NUMBER + " = ?",
    new String[]{attackerNumber}
);

Families Using Call Interception¶

Family	Technique	Targets	Source
FakeCall/FakeCalls	Default call handler, fake UI, IVR	Korean banks	Kaspersky, Zimperium
Letscall	VoIP via WebRTC/ZEGOCLOUD, STUN/TURN relay	Korean users	ThreatFabric
Cerberus	SMS/call interception, 2FA bypass	European banks	Malpedia
SpyNote	Call recording via foreground service	Global	CYFIRMA
Medusa	Call/SMS interception, accessibility logging	Turkish/European banks	ThreatFabric

Android Version Timeline¶

Version	Change	Impact on Malware
Pre-6.0	All permissions granted at install	Call interception trivial
6.0	Runtime permissions for `CALL_PHONE`, `READ_PHONE_STATE`	User must grant explicitly; accessibility auto-grants
9.0	`VOICE_CALL` audio source restricted	Call recording moves to `MIC` source with speakerphone
10	`PROCESS_OUTGOING_CALLS` deprecated; `CallRedirectionService` introduced	Malware adopts new API or uses default handler approach
10+	Background microphone restrictions	Foreground service required for recording
14+	Foreground service type declaration required	Must declare `microphone` type in manifest

Detection During Analysis¶

Static Indicators

android.telecom.CallRedirectionService in manifest
Request for ROLE_CALL_REDIRECTION via RoleManager
TelecomManager API usage (especially getDefaultDialerPackage())
USSD code strings (*21*, *67*, *61*) in code or resources
Audio recording setup (MediaRecorder, AudioRecord) near telephony state listeners
CALL_PHONE + READ_PHONE_STATE + READ_CALL_LOG permission combination

Dynamic Indicators

App requests default phone handler role
Outgoing calls to known bank numbers redirected to different destinations
USSD codes dialed programmatically
Audio recording service started during call state changes
Call log entries deleted after suspicious calls
WebRTC/VoIP library initialization without visible video/voice UI