This article was updated on November 7 with a statement from a Google spokesperson.

The evolution of malware is a brutal game of cat and mouse, and Android users are once again in the crosshairs.

Initially, the FakeCall malware was a simple scam designed to impersonate legitimate banking apps and trick users into disclosing sensitive information via fake call screens.

Although effective at exploiting social engineering, early versions were limited to visual deception. Today, a more advanced version has emerged – equipped with the ability to intercept calls, record conversations and monitor device activity – making it a formidable threat capable of carrying out complex and highly convincing fraud.

The new and improved FakeCall malware

As TheHackerNews reports, the new FakeCall malware starts by tricking users into downloading a seemingly legitimate app. Once installed, it asks to be set as the default phone app. This step is crucial because it allows the malware to monitor calls on the device.

When a user tries to make a call or receives one, the malware can intercept the call and redirect it to a fake number controlled by attackers, tricking them into thinking they are talking to real bank representatives.

Differences between the old and new FakeCall

Record audio and screens

Previous versions of FakeCall mainly tricked users by displaying fake call screens, imitating legitimate apps, so that users thought they were speaking to their bank. The new variant goes one step further by taking advantage of Android’s screen recording and audio recording capabilities. This allows attackers to spy on live conversations and potentially collect personal or financial data in real time.

Device activity monitoring

While older versions had limited surveillance capabilities, the updated malware can track more aspects of device behavior, including monitoring Bluetooth status. This not only helps attackers understand when users are active, but also makes it easier for them to anticipate interactions, increasing their chances of successfully extracting sensitive information.

Mimicking real user interactions

A big leap forward in the new variant is the seamless integration with the Android system. This ability allows the malware to mimic real user interactions, making it appear more legitimate. For example, the malware can simulate actions a user would normally take, such as switching settings or responding to prompts.

This deception helps avoid detection and makes its behavior look natural. These new capabilities make the latest FakeCall version more intrusive and capable of carrying out complex, multi-layered fraud operations.

Example attack scenario

Imagine that John, an Android user, downloads an app that he believes is his bank’s latest mobile application. The app looks convincing, complete with logos and familiar user interface elements. However, this app is laced with the new FakeCall malware. John sets it as the default dialer after a prompt suggests it will “improve call quality.”

When he calls customer service to report a suspicious transaction, the malware intercepts the call and seamlessly forwards it to an attacker. On the other hand, a scammer pretends to be a bank representative in a calm and authoritative tone.

John provides personal information, believing it is necessary for verification. Meanwhile, the malware secretly records the audio and captures John’s on-screen interactions as he accesses account information or enters security codes.

John completes the call and is reassured that the issue is being addressed. Little does he know, the attacker now has the data needed to access his bank account, initiate transactions and compromise his financial security.

This seamless deception leaves no immediate clues, allowing the attacker to act quickly before John realizes something is wrong.

ForbesGoogle’s live threat detection is almost here: apps will be disabled in the next ten weeksBy means of Zak Duffman

Good security practices when downloading apps

• Download apps only from trusted sources: Always use verified app stores such as Google Play to minimize the risk of downloading malware. These platforms perform security checks on the apps they host, providing a layer of protection. Be careful with Android Package Kits or APKs from third-party sites as they often bypass these security measures.
• Check app permissions regularly: View and adjust the permissions your apps have. Apps should only have access to what they need to function. For example, a weather app doesn’t need access to your calls or screen recording capabilities. Pay close attention to apps that request permission for screen access, call handling, or text messaging, as these can be exploited by malware such as FakeCall.
• Keep devices updated: Make sure your device’s operating system and all installed apps receive regular updates. Developers release updates not only for new features, but also to fix known security issues. By updating you reduce the risk of malware abusing outdated software.
• Be skeptical of app requests: Always investigate extended permission requests. Malware often requests control over features, such as setting it as the default dialer or accessing accessibility services under false pretenses. Only grant these permissions if you fully trust the app and understand why it needs them. For example, a photo editing app shouldn’t have the ability to make calls or read your screen.

The new and improved FakeCall malware reminds us that cyber threats are constantly adapting, becoming more complex and harder to detect. What started as a simple scam using fake call screens to mimic banking interactions has now transformed into a sophisticated tool that can intercept calls, record conversations and seamlessly integrate with Android systems to mimic user behavior.

Update: November 7, 2024:

A Google spokesperson issued the following statement: “Based on our current detection, no apps containing this malware were found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even if those apps come from sources outside of Play.”