A lot of the brand new obfuscation is the results of hiding malicious code in a dynamically decrypted and loaded .dex file of the apps. Because of this, Zimperium initially believed the malicious apps they had been analyzing had been a part of a beforehand unknown malware household. Then the researchers dumped the .dex file from an contaminated machine’s reminiscence and carried out static evaluation on it.
“As we delved deeper, a sample emerged,” Ortega wrote. “The companies, receivers, and actions carefully resembled these from an older malware variant with the bundle title com.safe.assistant.” That bundle allowed the researchers to hyperlink it to the FakeCall Trojan.
Most of the new options don’t look like totally applied but. Moreover the obfuscation, different new capabilities embrace:
Bluetooth Receiver
This receiver features primarily as a listener, monitoring Bluetooth standing and modifications. Notably, there isn’t any rapid proof of malicious conduct within the supply code, elevating questions on whether or not it serves as a placeholder for future performance.
Display screen Receiver
Much like the Bluetooth receiver, this element solely screens the display’s state (on/off) with out revealing any malicious exercise within the supply code.
Accessibility Service
The malware incorporates a brand new service inherited from the Android Accessibility Service, granting it vital management over the person interface and the power to seize info displayed on the display. The decompiled code reveals strategies resembling onAccessibilityEvent() and onCreate() applied in native code, obscuring their particular malicious intent.
Whereas the offered code snippet focuses on the service’s lifecycle strategies applied in native code, earlier variations of the malware give us clues about attainable performance:
- Monitoring Dialer Exercise: The service seems to watch occasions from the com.skt.prod.dialer bundle (the inventory dialer app), doubtlessly permitting it to detect when the person is trying to make calls utilizing apps apart from the malware itself.
- Computerized Permission Granting: The service appears able to detecting permission prompts from the com.google.android.permissioncontroller (system permission supervisor) and com.android.systemui (system UI). Upon detecting particular occasions (e.g., TYPE_WINDOW_STATE_CHANGED), it might probably robotically grant permissions for the malware, bypassing person consent.
- Distant Management: The malware permits distant attackers to take full management of the sufferer’s machine UI, permitting them to simulate person interactions, resembling clicks, gestures, and navigation throughout apps. This functionality permits the attacker to control the machine with precision.
Telephone Listener Service
This service acts as a conduit between the malware and its Command and Management (C2) server, permitting the attacker to challenge instructions and execute actions on the contaminated machine. Like its predecessor, the brand new variant gives attackers with a complete set of capabilities (see the desk beneath). Some functionalities have been moved to native code, whereas others are new additions, additional enhancing the malware’s means to compromise gadgets.
The Kaspersky put up from 2022 stated that the one language supported by FakeCall was Korean and that the Trojan appeared to focus on a number of particular banks in South Korea. Final yr, researchers from safety agency ThreatFabric said the Trojan had begun supporting English, Japanese, and Chinese language, though there have been no indications individuals talking these languages had been really focused.