After Android malware that intercepts incoming calls to bypass two-factor authentication systems emerged earlier this year, Symantec researchers have now discovered a Trojan that prevents users from making outgoing calls to banks from their smartphones.
Dubbed Android.Fakebank.B, the malware was observed to include call-barring functionality in March this year and to be targeting mainly customers of Russian and South Korean banks. The Trojan is dated back to October 2013, but the call-cancelling capabilities weren’t seen before this year.
While analyzing the latest version of the Fakebank.B Android Trojan, Symantec researchers discovered that, upon installation, the malware would register a BroadcastReceiver component. Given that this component is triggered each and every time that the user makes a call, the Trojan could then monitor the outgoing calls and dialed numbers on the infected device.
The Trojan monitors ongoing calls for numbers belonging to customer service call centers of the target banks, and then programmatically cancels these calls from being placed. According to Symantec researchers, the malware can block the following numbers: KB Bank: 15999999; KEB Hana Bank: 15991111; NH Bank: 15442100 and 15882100; Sberbank: 80055550; SC Bank: 15881599 and 15889999; and Shinhan Bank: 15448000, 15778000, and 15998000.
Customers calling banking care centers through a registered mobile device are usually routed to an Interactive Voice Response (IVR) System, allowing them to cancel stolen payment cards in a timely manner. However, malware creators can block users from doing so, which also gives them more time to steal data from the compromised device, researchers say.
However, victims can still find other means to contact the bank to stop the fraudulent transactions, including calling from a landline or another mobile number, or sending an email. The Fakebank.B Trojan installs a backdoor and steals information from the compromised device and may also send messages to numbers in the compromised device’s contacts list, researchers say.
In early 2016, Symantec researchers warned about Bankosy, an Android Trojan designed to deceive voice call-based two-factor authorization (2FA) systems by intercepting incoming calls from banks. In addition to stealing users’ banking data, the malware could also intercept and delete SMS messages and other data from the infected devices, essentially preventing the user from receiving alerts on the ongoing compromise.
Related: Android Malware Gang Makes $10,000 a Day: Report
Related: Android Malware Targets Europe via Smishing Campaigns