Earlier this year in January, a new strain of Android malware called FakeBank was discovered which was capable of intercepting SMS sent by banking institutions in order to snoop on OTP messages and steal funds from users’ account by exploiting mobile banking security practices.

The malware also spied on users and collected data like phone number, the account balance of a linked credit card, location information and the details of banking apps installed on a user’s smartphone. Now, a new variant of FakeBank malware has been discovered, which is capable of intercepting calls and connecting users with fraudsters posing as a bank representative.

Spotted by Symantec’s cybersecurity team, the new variant of FakeBank malware can intercept both incoming and outgoing calls and redirects it to a different number used by the scammers.

banking malware UI
Malware UI spoofing a legitimate bank app (Image Courtesy: Symantec)

As per Symantec’s report, the updated FakeBank malware has been spread by social media sites and third-party Android app marketplaces, and so far, 22 apps have been found to be infected with the malware. However, the malware has only been known to target Korean banking institutions and its activity has reportedly been limited to South Korea so far.

After being downloaded, the infected app collects the bank’s legitimate phone number and configures the scammer’s contact information in the malware’s configuration files. Once users call their bank, the malware intercepts the outgoing call and redirects it to the scammer’s phone number. In order to avoid suspicion, the malware overlays a fake UI that mimics the bank’s real contact number and caller ID.

Incoming calls are intercepted too, and to simplify the scammer’s task of deception, the fake caller ID overlay is used again to make the users believe that they have got a call from a bank employee. The new variant of FakeBank malware mostly affects devices that run Android 5.0, however, smartphones running Android 6.0 and Android 7.0 are also susceptible to the attack. But devices that boot Android 8.0 Oreo are impervious to the attack, as Android Oreo does not allow an app to overlay a system window.