Full Report
In this blog post we share Zimperium’s Zero-Day Protection against the Water Makara Spear-Phishing campaign. The post Mishing in Motion: Uncovering the Evolving Functionality of FakeCall Malware appeared first on Zimperium.
Analysis Summary
# Tool/Technique: FakeCall Malware
## Overview
FakeCall is a sophisticated variant of mobile malware that leverages **Vishing (voice phishing)** techniques, supported by a malicious Android application package (APK), to gain control over victims' mobile devices. Its primary goal is to deceive users into disclosing sensitive information (credentials, financial details) or to remotely control device functions. It is part of a broader set of mobile-targeted phishing techniques termed "Mishing."
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Complete device control, call interception/manipulation, data exfiltration (calls, SMS, contacts, location), screen capture, audio/video recording, input simulation.
- First Seen: The article refers to a new variant tracking a previously reported malware, but provides no specific date for this variant's discovery beyond the article date of October 30, 2024.
## MITRE ATT&CK Mapping
Based on observed capabilities:
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0007 - Discovery**
- T1430 - Location Tracking
- T1430.001 - Location Tracking: GPS
- **TA0008 - Lateral Movement**
* (Implicitly involved in enabling remote control)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0011 - Command and Control**
- T1616 - Communication Channels
- **TA0012 - Persistence**
- T1651 - Execution through API Abuse (via Accessibility Service)
- **TA0018 - Mobile Control**
- T1582 - SMS Messages: Read/Delete/Send (Mapped loosely to SMS Control)
- **TA0003 - Persistence**
- T1649 - Accessibility Features
*Note: The article explicitly listed several T-IDs, which have been mapped below in Functionality sections consistent with the provided list.*
## Functionality
### Core Capabilities
- **Vishing Facilitation:** Tricks victims into calling attacker-controlled fraudulent numbers while mimicking normal user experience.
- **Dropper Functionality:** The initial APK acts as a dropper to install the second-stage malicious payload.
- **Dynamic Loading:** Uses configuration/manifest discrepancies to suggest dynamically decrypted and loaded `.dex` files for obfuscation.
- **Accessibility Service Exploitation:** Leverages the Android Accessibility Service (implemented in native code) for high-level UI control and bypassing user consent.
- **Remote Control Simulation:** Capable of simulating user interactions (clicks) on the device.
### Advanced Features
- **Call Seizure (T1616):** Ability to control both outgoing and incoming phone calls.
- **Data Harvesting:** Collection and exfiltration of Call Logs (T1636.002), Contact List (T1636.003), and SMS Messages (T1636.004).
- **Sensory Capture:** Capability to record Audio (T1429) and capture Video (T1512) via the camera.
- **Screen Monitoring:** Captures screenshots (T1513) and exploits screen sharing capabilities to capture credentials (T1417.002).
- **Location Tracking (T1430):** Retrieves and exfiltrates the victim’s current location data over HTTPS.
- **Permission Bypassing:** Ability to detect permission prompts (e.g., from `com.google.android.permissioncontroller`) and automatically grant necessary permissions.
- **Evasion:** Heavy obfuscation in newer variants; migration of functionality into native code elements to complicate static analysis.
## Indicators of Compromise
The article states that IOCs can be found in an external link, thus specific IOCs are not provided in the context.
- File Hashes: [Not provided]
- File Names: [Initial dropper APK]
- Registry Keys: [Not applicable to Android]
- Network Indicators: [C2 communication, likely over HTTPS, specifics defanged due to context limitations]
- Behavioral Indicators: Execution of code loaded dynamically from decrypted DEX files; high frequency access via Accessibility Service; interception of call events related to the stock dialer (`com.skt.prod.dialer`).
## Associated Threat Actors
- [Not explicitly named in the provided context, but the work builds upon findings from ThreatFabric and Kaspersky.]
## Detection Methods
- **Signature-based detection:** Detection based on known package names (e.g., comparison to older variant `com.secure.assistant`) or specific malicious code signatures within the loaded DEX files.
- **Behavioral detection:** Monitoring for unauthorized usage of the Accessibility Service, dynamic loading of DEX files from memory, and abnormal communications related to call logs, SMS access, or location services.
- **YARA rules:** [Not provided]
## Mitigation Strategies
- **Prevention measures:** Strict user caution regarding downloading APK files from unofficial or suspicious sources (combating the initial phishing vector).
- **Hardening recommendations:** Restricting installation of applications from unknown sources; regularly reviewing and revoking permissions granted to installed applications, especially the Accessibility Service.
## Related Tools/Techniques
- **Mishing:** General category encompassing Vishing, Smishing, and Quishing.
- **Vishing:** The core social engineering technique employed.
- **Older Variant:** Functionality shares characteristics with an older malware variant using the package name `com.secure.assistant`, suggesting lineage or shared developers.