Fakecalls¶
Fakecalls is a Korean banking trojan with voice phishing (vishing) capabilities that intercepts outgoing calls to real bank phone numbers and replaces them with attacker-controlled recorded conversations. Kaspersky published a detailed analysis documenting the call interception mechanism. McAfee later documented variants signed with a legitimate Android app signing key, enabling the malware to bypass signature-based detection and app verification checks. The family targets major South Korean banks exclusively and represents the most advanced integration of voice phishing with mobile malware.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2022 |
| Last Seen | Active |
| Status | Active, ongoing Korean campaigns |
| Type | Banking trojan with vishing capability |
| Attribution | Unknown; Korean-language operations |
| Aliases | None known |
Vendor Names¶
| Vendor | Name |
|---|---|
| Kaspersky | HEUR:Trojan-Banker.AndroidOS.Fakecalls |
| McAfee | Android/Fakecalls |
| AhnLab | Trojan/Android.FakeCalls |
| ESET | Android/Spy.Banker.Fakecalls |
Origin and Lineage¶
Fakecalls is independently developed with no known code lineage to other banking trojan families. Its primary innovation is the integration of voice call interception with mobile banking fraud, a capability not seen in other documented families. While Copybara uses human operators making real vishing calls (TOAD), Fakecalls automates the voice phishing by intercepting actual calls to banks and playing pre-recorded IVR (Interactive Voice Response) audio.
Distribution¶
| Vector | Details |
|---|---|
| Fake banking apps | APKs impersonating KB Kookmin Bank, Shinhan Bank, Samsung Card, Hana Bank |
| Third-party stores | Korean third-party app repositories |
| Smishing | SMS lures directing users to fake banking app download pages |
The fake apps closely replicate the look of legitimate Korean banking applications, using official logos, color schemes, and interface layouts.
Capabilities¶
| Capability | Description |
|---|---|
| Call interception | Intercepts outgoing calls to real bank numbers, replaces with recorded audio |
| Call spoofing | Displays the real bank's phone number on screen while the call is redirected |
| Recorded IVR playback | Plays pre-recorded Korean-language IVR menus mimicking bank customer service |
| Live operator handoff | Can connect victim to a live attacker posing as bank staff |
| Overlay attacks | Credential phishing overlays over banking apps |
| SMS interception | Reads and intercepts OTP codes |
| Screen streaming | Real-time screen capture sent to C2 |
| Device info collection | IMEI, phone number, installed apps, contacts |
| GPS location | Tracks victim location |
Call Interception Flow¶
The voice phishing attack chain:
- User dials their real bank's customer service number
- Fakecalls intercepts the outgoing call before it connects
- The call is redirected to the attacker's infrastructure
- The real bank's phone number continues to display on screen
- Pre-recorded IVR audio plays, mimicking the bank's automated menu
- Victim follows voice prompts, entering account numbers, PINs, card numbers
- Captured data transmitted to C2
- Optionally, a live Korean-speaking attacker takes over the call
Technical Details¶
Call Interception¶
Fakecalls uses Android's call management APIs to intercept and redirect outgoing calls:
- Registers as a phone call handler through the dialer role
- Monitors outgoing calls for target bank phone numbers
- Blocks the actual call from connecting
- Plays pre-recorded audio through the in-call audio stream
- Displays a fake call UI showing the real bank number
This requires CALL_PHONE, READ_PHONE_STATE, and ANSWER_PHONE_CALLS permissions.
Legitimate Signing Key Abuse¶
McAfee documented variants signed with a compromised legitimate Android app signing key:
- APK signed with a key associated with legitimate Korean apps
- Bypasses signature-based detection that trusts known signing certificates
- Passes some device-level app verification checks
- The key compromise may have occurred through developer account theft or insider access
Pre-Recorded Audio¶
The malware contains Korean-language audio files mimicking bank IVR systems:
| Audio | Content |
|---|---|
| Welcome greeting | "Thank you for calling [Bank Name]" |
| Menu prompts | "Press 1 for account balance, press 2 for transfers..." |
| Information requests | "Please enter your account number followed by the pound key" |
| Hold music | Standard hold music matching the impersonated bank |
| Confirmation | "Your transaction is being processed, please hold" |
Target Regions¶
| Region | Details |
|---|---|
| South Korea | Exclusive target |
Target banks include KB Kookmin Bank, Shinhan Bank, Samsung Card, Hana Bank, and other major Korean financial institutions. The Korean-language IVR recordings and specific bank impersonation limit operations to Korean-speaking victims.
Notable Campaigns¶
2022: Fakecalls first appears targeting Korean banking users with call interception capabilities. Kaspersky publishes analysis documenting the voice phishing mechanism, call spoofing, and pre-recorded IVR system.
2023: McAfee discovers Fakecalls variants signed with a legitimate app signing key, revealing a new evasion technique. The compromised signing key allows the malware to bypass multiple layers of signature-based verification.