Image of gloved hand holding mobile phone showing login screen signifying Fakebank Android malware and the threat of vishing attacks
Fakebank Android Malware Evolves into Vishing Attack

Fakebank Android Malware Evolves into Vishing Attack

Security researchers have identified a new variant of the Fakebank Android malware that has been targeting users of Android devices. The original variant (discovered in January of 2018) intercepted bank SMS and recorded customer calls to financial institutions. It was also able to display fake login pages on Internet banking systems. The latest version adds even more functional threats to banking clients – in the form of ‘vishing’ (voice phishing) – it can now intercept outgoing and incoming calls where an Android device is being used.

When a bank customer makes phone calls to the financial institution that call is redirected to the scammers number which allows them to pose as legitimate employees of the bank or (in the older versions of the Android malware) display a fake bank login user interface when the banking client attempts to log into their account.

Who Is affected by the Android malware

According to Symantec which published details of the latest Fakebank release, the targets of the attacks seem to be Android users in South Korea. The blog said that there were 22 applications that were infected with Fakebank malware. These applications were usually hosted in so called ‘alternative’ application stores – but social networks were also affected.

The original version of the Android malware was first spotted by researchers at Trend Micro and targeted banking customers in Russia. Among FakeBank’s targets are customers of Russian financial institutions Sberbank, Leto Bank, and VTB24 Bank.

The fact that the Android Malware (with the new vishing capability) is primarily focused on users in South Korea should be of cold comfort to other users across the globe. “The Fakebank Android malware could soon be a model adopted by malware makers in parts of the world outside South Korea,” said Paul Bischoff, privacy advocate at Comparitech.

Android malware now comes with vishing built-in

When the malicious app is installed, it sends data to the command and control server with details of the Android smartphone as well as additional personal information about the user. The app then receives a configuration file with the phone numbers of the bank. When the user makes a call to the bank, he is then redirected to the number being used by the scammers. This is where the vishing attack comes into play.

This latest vishing attack angle is new. The scammers spreading the malware are now able to redirect calls to an agent who will impersonate the banking official. At the same time the data also allows the scammer to call the user – the Android malware will then display a fake caller ID to make it appear as though the phone call is really from the clients’ legitimate bank.

“In addition to tricking users into conversations with scammers, this malicious app sends call events to the C&C server. It also has a number of layouts customized to popular phone layouts in Korea,” said the Symantec researchers.

The Fakebank Android malware is advanced enough to target specific Android versions – and optimized to focus on those versions that would not require permissions from the user. At this point it seems that only users of Android devices running version 8 of the operating system are safe from the malware. This is because that version does not allow for the overlaying of a system window from an app.

Fakebank Android malware – next steps?

Frederik Mennes, senior manager for market and security strategy at VASCO offers advice for banks that are facing the vishing attacks posed by the latest version of the Fakebook mobile malware:

“Banks can protect themselves against vishing attacks by educating users, for example explaining that they shouldn’t install apps from unofficial stores, and requesting they review app privileges. However, this approach fails if the user makes a mistake. A stronger and better approach to protect against vishing consists of implementing transaction authentication, whereby the user must generate a valid dynamic authentication code in order to confirm a financial transaction. Fraudsters will have trouble convincing the user to generate and provide a valid authentication code for a fraudulent financial transaction, and hence will be stopped before doing any harm.”

Paul Bischoff of Comparitech had this advice for users of Android devices; .”Even though the attack uses a fairly novel approach to scam users, Android owners can avoid it using the same best practices used to avoid any other type of malware. First, update Android to the latest stable version. The newest release, Oreo, prevents the caller ID from being spoofed by the malware. Avoid downloading apps and files from unknown sources. Don’t trust apps from third-party app stores and be wary of links in web pages and emails. It’s also important to review and limit the permissions of apps you install (as well as) install and run antivirus regularly.”


The latest version of the Fakebank Android malware is significantly more advanced than the first version which surfaced early in 2018. By adding vishing capabilities the scammers have introduced the human element to the equation. Combined with the generation of overlays that imitate legitimate banking institutions and the rerouting of phone calls, the threat to banking is clients is very real.