Many of the new obfuscations are the result of hiding malicious code within an app’s .dex file, which is dynamically decrypted and loaded. As a result, Zimperium initially believed that the malicious apps it was analyzing were part of a previously unknown malware family. The researchers then dumped the .dex file from the infected device’s memory and performed static analysis.
“As we dug deeper, a pattern emerged,” Ortega wrote. “The services, receivers, and activities were very similar to those of an older malware variant with the package name com.secure.assistant.” This package allowed researchers to link it to the FakeCall Trojan. It’s done.
It appears that many of the new features are not yet fully implemented. In addition to obfuscation, new features include:
bluetooth receiver
This receiver primarily acts as a listener, monitoring Bluetooth status and changes. In particular, there is no immediate evidence of malicious behavior in the source code, raising questions about whether it serves as a placeholder for future functionality.
screen receiver
Similar to the Bluetooth receiver, this component only monitors the screen state (on/off) without revealing any malicious activity in the source code.
accessibility services
The malware incorporates new services inherited from the Android Accessibility Service, allowing it significant control over the user interface and the ability to capture information displayed on the screen. The decompiled code shows a method like this: onAccessibilityEvent() and onCreate() Implemented in native code to hide specific malicious intent.
Although the provided code snippets focus on the service’s lifecycle methods implemented in native code, previous versions of the malware provide clues about its possible functionality.
- Monitor dialer activity: The service appears to be monitoring events from . com.skt.prod.dialer The package (stock dialer app) may be able to detect when a user attempts to make a call using an app other than the malware itself.
- Automatic authorization: This service appears to be able to detect permission prompts from . com.google.android.permissioncontroller (System Privilege Manager) and com.android.systemui (System UI). When a specific event is detected (e.g. TYPE_WINDOW_STATE_CHANGED), can bypass user consent and automatically grant permissions to malware.
- remote control: This malware gives a remote attacker full control over the victim’s device UI and allows them to simulate user interactions such as clicks, gestures, and navigation between apps. This feature allows an attacker to precisely manipulate the device.
telephone listener service
This service acts as a conduit between the malware and it. Command and control (C2) serverThis allows the attacker to issue commands and perform actions on the infected device. Like the previous version, the new variant provides attackers with a comprehensive set of capabilities (see table below). While some features have been moved to native code, others are new, further increasing the ability of malware to compromise devices.
Kaspersky Lab’s 2022 post said that Korean is the only language supported by FakeCall, and that the Trojan appears to be targeting a few specific banks in South Korea. Last year, researchers at security firm ThreatFabric said the Trojan started supporting English, Japanese, and Chinese, but there was no evidence that people speaking those languages were actually targeted.
