The Android malware which intercepts incoming calls to bypass two-factor authentication systems appeared earlier this year. Recently, the experts at Symantec have found a brand new follower of the aforementioned malware, preventing users from making outgoing calls to banks from their smartphones.
The new trojan, which has a call-barring functionality, is called Android.Fakebank.B, and it targets mainly customers of Russian and South Korean banks. Despite the fact that the new trojan dates back to October 2013, the call-cancelling capabilities were seen in March, 2016.
After making analysis of the new Fakebank.B Android Trojan version, the security experts from Symantec found that, upon installation, the malware would register a BroadcastReceiver component. Considering the fact that this component is triggered each and every time when the user makes a call, the Trojan is able to monitor the outgoing calls and dialed numbers on the infected device.
Android.Fakebank.B checks the ongoing calls for numbers belonging to customer service call centers of the target banks and after that, it cancels these calls from being placed. The experts at Symantec claim that the malware can block the following numbers: KB Bank: 15999999; KEB Hana Bank: 15991111; NH Bank: 15442100 and 15882100; Sberbank: 80055550; SC Bank: 15881599 and 15889999; and Shinhan Bank: 15448000, 15778000, and 15998000.
Usually, customers who call banking care centers through a registered mobile device are tranferred to an Interactive Voice Response (IVR) System, which allow them to cancel stolen payment cards in a timely manner. However, the developers of Android.Fakebank.B can block users from doing so, which gives them more time to steal data from the compromised device.
Nevertheless, the malware victims can still find other means to contact the bank in order to stop the fraudulent transactions. These include calling from a landline or another mobile number, or sending an email.
The Android.Fakebank.B Trojan installs a backdoor and steals data from the compromised device, According to security researchers, the malware can also send messages to numbers in the compromised device’s contacts list.
Earlier this year, the Symantec experts warned about Bankosy – an Android Trojan, created to deceive voice call-based two-factor authorization (2FA) systems by intercepting incoming calls from banks. Apart from stealing the users’ banking data, the malware could intercept and delete SMS messages and other data from the infected devices, essentially preventing the user from receiving alerts on the ongoing attack.