When malware actors want to enter the business, they can choose markets where their profit is almost guaranteed to be worth the effort – according to past results. The malware does not need to be high profile, just careful selection of the audience and the right market can be enough.

This is the exact case that we observed in South Korea when we encountered an Android Trojan named FakeCalls. This malware can masquerade as one of more than 20 financial applications and imitate phone conversations with bank or financial service employees – perform the attack called voice phishing, or vishing.

Vishing attacks have a long history in the South Korean financial market. The problem was so serious that it even drew the attention from the government that resulted in a careful investigation and subsequent report: financial losses due to voice phishing constituted approximately 600 million USD in 2020, with the number of victims reaching as many as 170,000 people in the period from 2016 to 2020. Knowing these facts, we understand why exactly this country and this market were chosen by FakeCalls.

We discovered more than 3500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented several new anti-analysis techniques. In our presentation we describe all of the encountered anti-analysis techniques, and show how to mitigate them, refer to the history of South Korean vishing attacks and speak about the key details of the malware functionality.