S1080 Fakecalls
Fakecalls is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.1
| Item | Value |
|---|---|
| ID | S1080 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 21 July 2023 |
| Last Modified | 11 October 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1429 | Audio Capture | Fakecalls can turn on a device’s microphone to capture audio.1 |
| mobile | T1616 | Call Control | Fakecalls can intercept and imitate phone conversations by breaking the connection and displaying a fake call screen. It can also make outgoing calls and spoof incoming calls.1 |
| mobile | T1533 | Data from Local System | Fakecalls can access and exfiltrate files, such as photos or video.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | Fakecalls can send exfiltrated data back to the C2 server.1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.002 | File Deletion | Fakecalls can manipulate a device’s call log, including deleting incoming calls.1 |
| mobile | T1430 | Location Tracking | Fakecalls can access a device’s location.1 |
| mobile | T1655 | Masquerading | - |
| mobile | T1655.001 | Match Legitimate Name or Location | Fakecalls has masqueraded as popular Korean banking apps.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | Fakecalls can access the device’s call log.1 |
| mobile | T1636.003 | Contact List | Fakecalls can copy and exfiltrate a device’s contact list.1 |
| mobile | T1636.004 | SMS Messages | Fakecalls can access text message history.1 |
| mobile | T1512 | Video Capture | Fakecalls can request camera permissions.1 |