The team discovered a new variant of malware that can fully control devices through voice phishing (), aiming to trick users into revealing financial information.

First discovered by Kaspersky, it now has new features that make it harder to detect, allowing attackers to remotely manipulate device functions, bypass user permissions, and capture and control calls.

FakeCall 攻击的工作原理
FakeCall 攻击以标准的网络钓鱼攻击开始，通常是通过欺骗性下载链接或短信诱骗受害者安装恶意 APK 文件，然后下载第二阶段恶意软件负载。这种恶意软件经过高度混淆，能够使用先进的反检测技术，连接到远程命令和控制 (C2) 服务器以执行命令。

The latest variant mimics the standard dialer application on infected devices, intercepting and controlling incoming and outgoing calls. Users attempting to contact banks or other financial institutions may unknowingly be redirected to attackers posing as customer support, who then steal financial and personal information.

By leveraging accessibility services, malicious software can monitor dialer activities and respond to permission prompts without user consent, enabling extensive control over device operations. Additionally, by receiving remote commands from a server, attackers can simulate interactions on the device, make unauthorized calls, or click on elements on the screen, further compromising the security of the victim's account.

FakeCall 的最新攻击链
https://www.zimperium.com/blog/mishing-in-motion-uncovering-the-evolving-functionality-of-fakecall-malware/

新功能
最新的 FakeCall 变种展现出高级功能，对用户构成严重安全风险。这些新功能旨在延长恶意软件在设备上的存活时间，并使攻击者能够访问一系列敏感信息。例如，该恶意软件现在包含检测蓝牙连接和屏幕状态的组件，可能为未来迭代中更复杂的行为做准备。

Additionally, it can perform functions such as recording audio, taking photos, initiating live video streaming, and controlling two cameras. The command set of this malware has been enriched in the latest version, allowing attackers to exercise fine-grained control over infected devices, covering a wide range of activities, such as:

• Information Collection: The malware uploads device information, call logs, contacts, SMS messages, and location data to the server.
• Device Control: A remote attacker can end calls, manage application installations, capture screenshots, initiate screen video streaming, and access the camera feed.
• Data Manipulation: The ability to add or remove contacts, delete call logs, and even send or delete text messages allows attackers to conceal malicious activities.
• Remote Interface Simulation: Using accessibility services, malware can simulate clicks and button presses, allowing attackers to navigate the device and manipulate it precisely.

To defend against this threat, avoid downloading applications from outside the store, independently verify the caller's identity when conveying sensitive information, and keep your device's active.