Full Report
Authored by Dexter Shin McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate... The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog.
Analysis Summary
# Tool/Technique: Fakecalls Android Malware
## Overview
Fakecalls is an Android banking trojan discovered in South Korea that uniquely abuses a legitimate application signing key belonging to a reputable IT services company. This technique allows the malware to bypass signature-based detection mechanisms assuming that an app signed with a trusted key genuinely belongs to the legitimate developer. The malware functions as a dropper, installing a second, primary malicious APK responsible for extensive data exfiltration and device control.
## Technical Details
- Type: Malware family (Banking Trojan/Dropper)
- Platform: Android
- Capabilities: Bypassing signature-based detection via key reuse, payload dropping, data theft (SMS, contacts, call logs), call forwarding setup, call recording, remote command execution via push SDK.
- First Seen: Discovered last year (relative to April 20, 2023 disclosure).
## MITRE ATT&CK Mapping
The functionality observed maps primarily to mobile tactics:
- **TA0011 - Command and Control**
- **T1432 - Data Communication Channel** (Uses legitimate push SDK to receive C2 commands)
- **TA0010 - Exfiltration**
- **T1433 - Data Encrypted for Impact** (Implied by collection of sensitive data for exfiltration)
- **TA0005 - Defense Evasion**
- **T1437 - Signed Binary** (Abusing a legitimate signing key)
- **TA0009 - Collection**
- **T1429 - Audio Capture** (Call recording)
- **T1431 - Contact List** (Contacts upload)
- **T1430 - SMS Messages** (SMS interception/deletion)
## Functionality
### Core Capabilities
- **Initial Infection & Evasion:** The initial APK (Dropper) is obfuscated using the Tencent Legu Packer. It pretends to be a legitimate app (often mimicking banking apps via icon).
- **Payload Delivery:** The dropper extracts a secondary APK hidden within the assets directory, disguised as an HTML file (named "introduction.html"), and prompts the user to install it immediately upon launch.
- **Data Collection:** The main payload requests permissions to access and exfiltrate SMS messages, phone numbers, contacts, and call logs.
### Advanced Features
- **Legitimate Key Abuse:** Core defense evasion revolving around using a trusted developer's signature key.
- **Remote Control:** Implements extensive remote command structure, including setting up call forwarding, call recording, sending SMS, and manipulating device files.
- **C2 Communication:** Utilizes a legitimate push SDK to receive commands from the C2, potentially further obscuring communication channels.
- **Persistence/Control:** Registers multiple services and receivers to maintain control over notifications and C2 interaction.
## Indicators of Compromise
- File Hashes:
- SHA256: `7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8` (Dropper)
- SHA256: `9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b` (Payload - Name not specified in the snippet)
- File Names: `introduction.html` (used internally to store the payload APK)
- Registry Keys: N/A (Android artifacts)
- Network Indicators: C2 related domains were discovered and subsequently taken down or updated. Phishing sites mimicking banking sites were observed. (Specific functional IPs/Domains are not provided in a defanged context, only that C2 admin pages were accessible.)
- Behavioral Indicators: Application attempts to install a secondary application immediately upon launch; requests extensive permissions (SMS, Call Logs, Contacts); utilizes a legitimate push SDK for receiving instructions.
## Associated Threat Actors
- The threat actor group is not explicitly named, but the malware targets users in South Korea and abuses the signing key of a large, reputable Korean IT services company.
## Detection Methods
- Signature-based detection: McAfee Mobile Security detects this threat as **Android/Banker**, specifically looking for the recognized family traits regardless of the signing key used.
- Behavioral detection: Monitoring for applications that immediately attempt to install a secondary payload from assets, or suspicious use of push SDKs combined with extensive data access requests.
- YARA rules: Detection based on the presence of specific Tencent Legu Packer libraries or known strings related to the C2 command structure.
## Mitigation Strategies
- Prevention measures: Users should only install applications from official app stores (though this variant was not in official stores, general best practice applies).
- Hardening recommendations: Install and maintain reputable mobile security software capable of advanced behavioral detection. The legitimate company that owned the key has already replaced its signing key.
## Related Tools/Techniques
- Other Android banking trojans that utilize custom packers or obfuscation techniques (e.g., those using Legu Packer).
- Malware leveraging legitimate developer infrastructure or signing resources (e.g., side-loading attacks using previously compromised keys).