The threat of malware on Android devices is constantly increasing and becoming more sophisticated, especially with regard to banking Trojans. One of the most recent, advanced, and dangerous threats is FakeCall, a banking Trojan specifically designed to target Android users with manipulation techniques, call redirection, and the collection of sensitive data. In this extensive analysis, you'll discover How FakeCall manages to deceive victims, what its attack techniques are, all its latest capabilities, and why it poses an unprecedented challenge to mobile security. Furthermore, the best practices to protect yourself of this and other similar malware.
What is FakeCall and why is it so dangerous for Android?
FakeCall is a banking Trojan who masterfully employs the technique known as vishing (voice phishing). The main purpose of this malware is trick users into believing they are talking to real representatives of their bank, which leads them to share confidential information such as passwords or bank card details.
This malware was first detected a few years ago, but it is constantly evolving. The most recent variants have increased their sophistication and danger, integrating functionalities that allow you intercept and even redirect authentic phone calls, achieving a level of manipulation never before seen in banking Trojans.
The biggest danger of FakeCall lies in its ability to impersonate the phone's calling app.. Thus, it can present itself as the legitimate interface of the device and simulate that the user is dialing their bank's real number, when in fact the call is intercepted and redirected to the attackers.
According to reports from specialist firms such as Zimperium, Kaspersky and Check Point, FakeCall is not only visually deceptive: use advanced permissions and APIs to take almost complete control of the device, accessing communications, logs and other data on demand.
In addition to all the above, FakeCall spreads mainly through campaigns Phishing —emails or messages that pretend to come from official entities— and ask the victim to install malicious applications under deceptive pretexts. Currently, More than a dozen applications and files associated with FakeCall campaigns, increasing its reach.
The Inner Workings of FakeCall: How It Hijacks and Manipulates Bank Calls
To understand the seriousness of this threat, it is key to review How FakeCall gains access to and manipulates the phone's calling function:
- Request advanced permissions when installed, such as accessing call management, reading contacts and controlling the screen.
- Set as the default app for calls: tricks the user into granting this permission, which is essential for intercepting and redirecting calls without being noticed.
- When calling a bank number, the application interferes and intercepts the actionInstead of connecting to the real bank, the call is sent to a number controlled by cybercriminals.
- The display will show the interface and the legitimate bank number, generating false trust and making it easier for the victim to provide their data.
- In some cases, the victim may receive an incoming call supposedly from their bank, but it is actually initiated and controlled by the criminals using the spoofed number.
In previous versions, FakeCall encouraged users to contact their bank through a fake app that mimicked the official one. Current variants take advantage of manipulation of the call system, achieving a more subtle and dangerous deception.
The sophistication of the fake interface is such that the victim never detects the manipulation, allowing the attacker to hold conversations, ask security questions, and request OTP codes or one-time passwords.
FakeCall's Advanced Capabilities and Dangerous Features
FakeCall is much more than just a voice data thief: It is a comprehensive control and spying tool for Android devices.Its most dangerous versions integrate a set of features never before seen in a single banking Trojan:
- Live screen streaming: It can stream everything happening on the user's screen in real time, allowing attackers to observe all activities, including sensitive data and movements within banking applications.
- Automatic screenshotFakeCall can take screenshots at any time and send them to the attackers' servers to evaluate the displayed information or documents.
- Unlocking and controlling the screen: It is capable of unlocking the phone and preventing the screen from turning off automatically, facilitating prolonged access to the device without the user noticing.
- Issuing remote commands: Uses the same permissions granted to perform actions on the device, such as simulating keystrokes, managing open applications, or even triggering the camera for recording.
- File deletion and leak: It has the ability to access the image folder, compress and upload photos, delete files or manipulate stored information.
- Abuse of accessibility APIs: FakeCall grants itself additional permissions, bypassing security restrictions and expanding its power in the Android system.
- Mass collection of information: It is capable of collecting data from contacts, SMS, locations, list of installed applications, even recording ambient audio or from the device's camera.
- Bluetooth monitoring and display: Some variants may know when the user is using Bluetooth or monitor the screen state, adjusting their behavior based on the user's apparent privacy.
- Manipulating the phone's state: It can even simulate pressing the home button or manipulate automatic locks, making it difficult for the victim to detect abnormal activity while being scammed.
The integration of all these functionalities makes FakeCall a multipurpose weapon at the service of cybercrime, increasing the potential damage and making manual detection by the user difficult.
Fake Call Propagation Methods and How to Protect Your Phone
The main distribution route for FakeCall is through phishing campaigns., that is, messages or emails that pretend to be from banks or other legitimate entities and that encourage the user to install an application or click a link. However, Malware can also appear in unofficial app stores or on fraudulent websites. that pretend to belong to banks or recognized companies.
When the victim downloads a malicious APK file, usually under promises of loans, discounts or exclusive banking features, the infection process beginsThe installation triggers requests for advanced permissions and, in many cases, connections to external command and control servers from which attackers direct malicious activity.
Currently, Google Play Protect has proven to be an effective barrier to known malware., and FakeCall has not been detected in the official Play Store. However, Users remain at risk when downloading apps from unverified sources. or by falling for misleading messages.
Some advanced malware variants identified are grouped under strange package names and may mimic legitimate tools, helpers, banking utilities, or help desks.
The best defense against FakeCall and similar scams is to Maintain a proactive and distrustful attitude towards unverified applications:
- Install apps only from the Google Play Store or from verified and recognized sources.
- Avoid downloading APK files sent by email or unknown messages, even if they appear to come from reliable sources.
- Always keep Google Play Protect active and perform periodic scans with reputable security applications.
- Don't grant excessive permissions to applications, especially those related to calls, accessibility, or device management.
- Be suspicious of any app that requests to become the default calling app without a clear reason.
- Pay attention to signs of attempted deception, such as urgent messages or promises that are too good to be true.
- Periodically review the installed applications and delete any you don't remember downloading.
Identifying infections, package names, and the scope of FakeCall campaigns
Cybersecurity experts have detected More than 13 applications and .dex files related to FakeCall campaignsSome malware variants use random package names or names similar to legitimate services to avoid detection. Examples of names used include:
- com.qaz123789.serviceone
- com.sbbqcfnvd.skgkkvba
- com.securegroup.assistant
- com.seplatmsm.skfplzbh
- eugmx.xjrhry.eroreqxo
- gqcvctl.msthh.swxgkyv
- ouyudz.wqrecg.blxal
- plnfexcq.fehlwuggm.kyxvb
- xkeqoi.iochvm.vmyab
FakeCall's reach has expanded internationally. Initially, it primarily targeted users in Asian countries, but its tactics and code have quickly adapted to exploit weaknesses in systems elsewhere, taking advantage of Human errors and security holes in Android devices.
The number of potential victims increases as malware evolves, especially among users unfamiliar with modern cyber threats or who download apps without verifying their authenticity.
The real impact: risks to the security and privacy of Android users
The impact of FakeCall goes far beyond stealing banking data.This malware can result in complete loss of control over the device, identity theft, access to and deletion of personal files, and disclosure of private and financial information to cybercriminal networks.
Among the most relevant risks are:
- Total theft of bank credentials and one-time codes, which may lead to account deletion or unauthorized transfers.
- Remote access and use of the device, allowing attackers to operate the terminal as if they were the real owner.
- Mass collection of personal information (SMS, images, contacts, audios and more), which can be used for extortion, additional phishing or sale in illegal markets.
- Extreme difficulty in detecting malware, as FakeCall perfectly mimics standard Android visuals and user experience, without raising suspicions during the fraud.
- Changing device settings, such as blocking manual access or changing privileges, making it difficult for the victim to regain control.
Google has taken steps to prevent the spread of these types of threats on Google Play and is experimenting in some countries with initiatives that block the download of potentially dangerous apps, especially those that abuse accessibility services.
However, Protection depends largely on the attention and behavior of each userMalware doesn't install itself: it requires human action, usually motivated by urgency or convincing promises and phishing messages.
The continued development of FakeCall demonstrates that cybercriminals are adapting their techniques to new defense systems and the digital culture of the average user, so information and training remain the best barriers.
