Full Report
In this blog post we share Zimperium’s Zero-Day Protection against the Water Makara Spear-Phishing campaign. The post Mishing in Motion: Uncovering the Evolving Functionality of FakeCall Malware appeared first on Zimperium.
Analysis Summary
# Tool/Technique: FakeCall Malware
## Overview
FakeCall is a sophisticated Android malware variant designed to facilitate Vishing (voice phishing) attacks. It leverages malware, often dropped via a phishing attack (APK file), to gain significant control over the mobile device, enabling direct manipulation of phone calls to trick victims into revealing confidential information to attacker-controlled numbers. It is part of a broader category of mobile-targeted phishing known as "Mishing."
## Technical Details
- Type: Malware family (Second-stage payload)
- Platform: Android
- Capabilities: Call interception and control, automatic permission granting, remote screen/audio/video capture, data exfiltration.
- First Seen: Previously reported; new variants tracked as of October 30, 2024.
## MITRE ATT&CK Mapping
The malware exhibits capabilities mapping across multiple tactics:
- **Collection T1429 - Audio Capture**
- **Collection T1430 - Location Tracking**
- **Collection T1430.001 - Location Tracking** (Implied: Gets and exfiltrates location data)
- **Collection T1512 - Video Capture**
- **Collection T1513 - Screen Capture**
- **Collection T1636.002 - Protected User Data: Call Log**
- **Collection T1636.003 - Protected User Data: Contact List**
- **Collection T1636.004 - Protected User Data: SMS Messages**
- **Collection T1417.002 - Input Capture: GUI Input Capture** (Via screen sharing)
- **Command and Control T1616 - Call Control**
- **Impact T1516 - Input Injection** (Simulates user clicks)
- **Impact T1616 - Call Control** (Manipulates incoming/outgoing calls)
- **Impact T1582 - SMS Control** (Read, delete, transmit SMS)
- **Exfiltration T1646 - Exfiltration Over C2 Channel** (Uses HTTPS)
- **Defense Evasion** (Implied by heavy obfuscation and dynamic loading of DEX components)
## Functionality
### Core Capabilities
- **Vishing Execution:** Tricks victims into calling fraudulent numbers while mimicking the normal user experience.
- **Call Control (T1616):** Intercepts and controls both incoming and outgoing phone calls.
- **Data Collection:** Harvests Call Logs (T1636.002), Contact Lists (T1636.003), and SMS messages (T1636.004).
- **C2 Communication:** Communicates with a Command and Control server to receive instructions and exfiltrate stolen data, utilizing the HTTPS protocol (T1646).
### Advanced Features
- **Dynamic Payload Loading:** Utilizes a dropper to install the main payload. The main malware dynamically decrypts and loads a hidden `.dex` file from memory, obscuring static analysis.
- **Accessibility Service Abuse (New):** Leverages the Android Accessibility Service to:
- Automate permission granting by detecting permission prompts (e.g., from `com.google.android.permissioncontroller`).
- Monitor dialer activity (e.g., `com.skt.prod.dialer`) to potentially prevent the user from using legitimate dialer apps.
- **Sensory Capture:** Capabilities to capture Audio (T1429), Video (T1512), and Screenshots (T1513).
- **Location Tracking (T1430):** Retrieves and exfiltrates the device's current location data.
- **Input Injection (T1516):** Capable of simulating user clicks for remote control functionality.
- **Code Migration:** Partial migration of malicious functionality to native code elements, making decompilation and detection more difficult.
## Indicators of Compromise
*Note: Specific hashes and network indicators were not provided in the text, only general IOC concepts were listed.*
- File Hashes: [Not provided]
- File Names: [APK dropper file, Second-stage payload]
- Registry Keys: [Not applicable for Android malware analysis structure, focus on package names/component names]
- Network Indicators: [C2 servers communicating over HTTPS - defanged via protocol reference]
- Behavioral Indicators:
- Absence of code corresponding to entries in `AndroidManifest.xml` (suggesting dynamic loading).
- Use of services/receivers resembling older variants (e.g., package name `com.secure.assistant`).
- Services listening for Bluetooth status or Screen state changes (though currently benign in source code).
## Associated Threat Actors
- Information not explicitly stated, only that it is a "well-known malware previously reported by ThreatFabric and Kaspersky."
## Detection Methods
- Signature-based detection: Look for known patterns or structures associated with previously identified FakeCall variants, especially related to dynamic DEX loading.
- Behavioral detection: Monitoring for the abuse of the Android Accessibility Service to automatically grant permissions or manipulate system UI events. Monitoring for unauthorized call manipulation and C2 communication over HTTPS.
- YARA rules: Not provided, but could target unique native code implementations or string obfuscation techniques.
## Mitigation Strategies
- Prevention measures: Avoid downloading and installing APK files from untrusted sources related to phishing campaigns (Mishing, Smishing, Quishing).
- Hardening recommendations: Review and restrict the permissions granted to installed applications, especially applications that request Accessibility Service access unnecessarily. Implement mobile threat defense solutions capable of detecting dynamic payload execution.
## Related Tools/Techniques
- **Related Phishing Techniques (Mishing):** Smishing (SMS phishing) and Quishing (QR code phishing).
- **Related Malware:** Older variants sharing code patterns with the package name `com.secure.assistant`.