FakeBank Was Upgraded and Now Intercepts Calls to Scam Users

A malicious Android infection named FakeBank was first discovered in January. The original version of this threat was unveiled by researchers at Trend Micro, who reported that the threat could intercept text messages to record bank security codes, which would then be used to reset account passwords and, ultimately, allow schemers to take over these accounts. It was found that the threat was primarily targeting Sberbank, Leto Bank, and VTB24 Bank customers in Russia; however, victims were found in other countries as well. The infection was controlled via an app that had the capability of communicating with a remote C&C server, which allowed quick transfer of sensitive information. The malicious app could also scan the device for antivirus software, and if it was found, no malicious behavior would be initiated. Unfortunately, FakeBank has evolved since then, and now it can intercept calls to trick users into calling schemers. This version primarily targets Android users in South Korea.


According to the report recently published by Symantec, at least 22 different Android apps are now spreading the devious FakeBank. There is no information about these apps being distributed via the Google Play store at the moment, and although this is the most reliable source for Android apps, you need to be careful because Tizi Spyware, Sockbot, and other threats have been spread via Google Play store in the past. According to the latest information, the 22 apps that were found to conceal the malicious FakeBank are primarily spread via unreliable app stores or using social networking scams. In the first variant of the infection, when users launched the fictitious app, it would showcase spoofed bank login interfaces to trick unsuspecting users into disclosing personal information. This new variant of the threat focuses on intercepting phone calls. It can do so with both incoming and outgoing calls.

When personal information about the targeted victim is sent to FakeBank’s C&C server, it sends back four unique phone numbers that are used in the scam. First, there is the “phoneNum_ChangeNum” number that represents the authentic number of the bank and that will be replaced. Next, there is “phoneNum_To,” which is the number that is dialed instead of the authentic number. “phoneNum_Come” is the number that the schemer can use to call the victim, and “phoneNum_ShowNum” is the real number that FakeBank overlays when the call is made. Because the number that the victim sees is authentic, they are unlikely to realize that someone is intercepting the call and posing as real bank operators. Using this disguise, schemers can trick victims into disclosing personal information that could be used to perform illicit transactions or hijack user’s banking accounts altogether. In the worst case scenario, the victim’s accounts could be emptied. At the moment, it appears that FakeBank is primarily terrorizing users in South Korea; however, now that the creator of this malware knows how to scam users, they could help the infection cross over to other regions as well. Without a doubt, everyone using Android devices must take appropriate security measures to ensure that malware does not intercept messages and calls because that is very dangerous.

Android users who have not faced FakeBank yet need to take certain security measures. First and foremost, it is important to look at app-downloading habits. As mentioned before, Android apps should be downloaded only from the Google Play Store; however, letting the guard down while using this source is not advisable. Before installing the app, it is important to research it to learn more about it. Also, it is important to read through the permissions that are granted to the app when it is installed. If any of the permissions are questionable, finding an alternative app is recommended. It is also recommended that Android users download reliable antivirus apps to help them protect their devices. As discussed earlier, FakeBank removes itself if security apps are detected. Keeping the device malware-free might require an investment – depending on what kind of security app is installed – but dealing with malware can cost much more. FakeBank is a silent threat that, once installed, can lead to financial insecurity, and it is important to do everything it takes to keep it away.


Aimoto, S. March 15, 2018. New Fakebank Variant Intercepts Calls to Connect Banking Users to Scammers. Symantec Blog.
Pan, J., Wang, S. January 10, 2018. New Mobile Malware Uses Layered Obfuscation and Targets Russian Banks. Trend Micro.