Are you sure you know who’s on the other end of the line?
A malicious Android app is enabling criminals to intercept calls meant for government and financial institutions, researchers have warned.
Thousands of victims across Asia are being duped into downloading the app, which ultimately aims to trick them into handing over personal and financial details to fraudsters.
The app poses as a legitimate banking service that allows users to apply for secure loans or contact various banks across Asia.
However, once the victim calls what they believe to be their bank, the app forwards the call to a criminal who poses as a representative from the organization.
Even if the phone number displayed is correct, the call still redirects to the criminals, so the victim has no way of knowing they are falling for a voice phishing – or vishing – scam.
The campaign is believed to have originated in Taiwan and has since spread to China, Singapore, and South Korea.
Researchers from the Korea Financial Security Institute and Korea University have been tracking the criminal gang behind the scam since September 2017.
At Black Hat Asia, held in Singapore last month, researcher Min-Chang Jang demonstrated how the app is fooling smartphone users.
The methods in which the victim’s phone is infected can vary.
Researchers spoke to one man, identified as ’Mr Goo’, who said he applied for a loan consultation online, and days later received a text pretending to be from his bank, offering him a loan.
The message looked legit and contained the real phone number of Mr Goo’s bank, so the victim’s suspicions weren’t raised when the message directed him to an app he needed to download in order to “proceed” with the next stage of the application process.
This app appeared to have been developed by his bank, but it was actually built by the criminals.
Multiple versions of the software purporting to be from various financial institutions have been discovered, but by the time the research team received reports from victims, the servers had been closed.
In April 2018, Jang and his colleagues received a report which led to the discovery of a live server, allowing them to take a deeper dive into the code.
They gained access to the web-based hardcoded command and control server, the address of which was hidden inside one of the apps, and from there they were able to access destination account information, including where the criminal was based (Taiwan).
At the time of writing, both the Korean and Taiwanese police forces are investigating who is behind these apps.
So far, Jang has conversed with suspected fraudsters once – he called the perpetrator after finding their mobile number hidden in the code, but they asked him to call back at another time.
It isn’t clear whether researchers have had further contact.