“As we delved deeper, a pattern emerged,” Ortega wrote. “The services, receivers, and activities closely resembled those from an older malware variant with the package name com.secure.assistant.” That package allowed the researchers to link it to the FakeCall Trojan.
Many of the new features don’t appear to be fully implemented yet. Besides the obfuscation, other new capabilities include:
Bluetooth Receiver
This receiver functions primarily as a listener, monitoring Bluetooth status and changes. Notably, there is no immediate evidence of malicious behavior in the source code, raising questions about whether it serves as a placeholder for future functionality.
Screen Receiver
Similar to the Bluetooth receiver, this component only monitors the screen’s state (on/off) without revealing any malicious activity in the source code.
Accessibility Service
The malware incorporates a new service inherited from the Android Accessibility Service, granting it significant control over the user interface and the ability to capture information displayed on the screen. The decompiled code shows methods such as onAccessibilityEvent() and onCreate() implemented in native code, obscuring their specific malicious intent.
While the provided code snippet focuses on the service’s lifecycle methods implemented in native code, earlier versions of the malware give us clues about possible functionality:
- Monitoring Dialer Activity: The service appears to monitor events from the com.skt.prod.dialer package (the stock dialer app), potentially allowing it to detect when the user is attempting to make calls using apps other than the malware itself.
- Automatic Granting: The service seems capable of detecting prompts from the com.android.systemui (system UI). Upon detecting specific events (e.g., TYPE_WINDOW_STATE_CHANGED), it can automatically grant access for the malware, bypassing user consent.
- Remote Control: The malware enables remote attackers to take full control of the victim’s device UI, allowing them to simulate user interactions, such as clicks, gestures, and navigation across apps. This capability enables the attacker to manipulate the device with precision.
Phone Listener Service
This service acts as a conduit between the malware and its Command and Control (C2) server, allowing the attacker to issue commands and execute actions on the infected device. Like its predecessor, the new variant provides attackers with a comprehensive set of capabilities (see the table below). Some functionalities have been moved to native code, while others are new additions, further enhancing the malware’s ability to compromise devices.
The Kaspersky post from 2022 said that the only language supported by FakeCall was Korean and that the Trojan appeared to target several specific banks in South Korea. Last year, researchers from security firm ThreatFabric said the Trojan had begun supporting English, Japanese, and Chinese, although there were no indications people speaking those languages were actually targeted.
Time.news Editor (TNE): Good afternoon, and welcome to our interview today. We have an intriguing guest with us, Cybersecurity Expert Dr. Elena Torres, who specializes in mobile malware analysis. Dr. Torres, thank you for joining us.
Dr. Elena Torres (ET): Thank you for having me! I’m excited to discuss this emerging malware variant and its implications.
TNE: Let’s dive right in. A recent analysis revealed that a new malware variant has features resembling the older FakeCall Trojan. Can you elaborate on this connection?
ET: Certainly! The research indicates that the new malware uses some core techniques and structures from the FakeCall Trojan, specifically linked through the package name com.secure.assistant. This connection suggests that the developers of the new malware are building upon existing frameworks, potentially to evade detection or to leverage proven tactics.
TNE: Interesting. The article mentions a Bluetooth receiver among the new functionalities. What do you make of its presence, especially considering that there’s no immediate malicious intent in the current code?
ET: That Bluetooth receiver is indeed curious. It functions merely as a listener to monitor Bluetooth status changes. The absence of malicious behavior could imply that it serves as a placeholder for future updates—essentially allowing attackers to refine their capabilities over time without raising immediate alarms. This gradual approach can make detection more challenging for security systems.
TNE: That makes sense. The “Screen Receiver” appears to follow a similar pattern. What potential threats does this pose for users?
ET: Right, the Screen Receiver’s role is to monitor the screen’s state without any overt malicious activities apparent at this stage. However, the capability to track whether a phone’s screen is on or off could be exploited to determine user activity patterns. If combined with more intrusive features, it could lead to serious privacy violations, like capturing screenshots or accessing sensitive information displayed on the screen.
TNE: There’s also mention of the malware leveraging the Android Accessibility Service. How does this enhance its capabilities?
ET: That’s a key point. By integrating with the Android Accessibility Service, the malware can gain significant control over the user interface. It can monitor actions, record input, and interact with other applications in ways that a typical app wouldn’t be able to. The specific methods referenced, like onAccessibilityEvent() and onCreate(), suggest that while the precise malicious functions remain obscured, they may grant the malware the ability to capture user interactions dynamically.
TNE: The analysis hints at monitoring dialer activity and automatic granting of permissions. Can you explain the implications of these features?
ET: Monitoring dialer activity means the malware could potentially recognize when a user is making calls through legitimate apps and not its own, which can facilitate call interception. As for the automatic permission granting capability, this is alarming because it means the malware could exploit system prompts to gain higher privileges without user consent. This could lead to advanced tracking, data theft, or even silent control over the device.
TNE: Given the sophistication of this malware, what steps can users take to protect themselves?
ET: Awareness is crucial. Users should regularly update their devices and applications to patch potential vulnerabilities. Installing antivirus solutions and being cautious about granting permissions to apps—especially new ones—can significantly reduce risks. Additionally, avoiding downloading apps from untrusted sources is essential. educating oneself about the indicators of compromise can help users identify potential malware infection early.
TNE: Thank you, Dr. Torres. Your insights on this emerging threat are invaluable. We appreciate you taking the time to unravel the complexities of this malware for our audience.
ET: Thank you! It was my pleasure discussing this critical topic. Let’s continue to keep our eyes peeled for developments in mobile security.
TNE: Absolutely. That concludes our interview for today. Stay informed, and be safe online!