{
	"id": "c96d2b73-9d94-49e4-bc05-142bfa1dae51",
	"created_at": "2026-04-06T00:06:21.36955Z",
	"updated_at": "2026-04-10T03:21:58.97237Z",
	"deleted_at": null,
	"sha1_hash": "88ab7ca09cfc625038ec2955aa33b9cd71f98dba",
	"title": "Fakecalls: a talking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 792208,
	"plain_text": "Fakecalls: a talking Trojan\r\nBy Igor Golovin\r\nPublished: 2022-04-11 · Archived: 2026-04-05 19:22:23 UTC\r\nCybercriminals are always coming up with ever more sophisticated malware. Last year, for example, saw the\r\nappearance of an unusual banking Trojan called Fakecalls. Besides the usual spying features, it has an interesting\r\nability to “talk” with the victim in the guise of a bank employee. There is little information about Fakecalls online,\r\nso we decided to shed some light on its capabilities.\r\nTrojan in disguise\r\nFakecalls mimics the mobile apps of popular Korean banks, among them KB (Kookmin Bank) and KakaoBank.\r\nCuriously, in addition to the usual logos, the Trojan’s creators display the support numbers of the respective banks\r\non the Fakecalls screen. These phone numbers appear to be real — the number 1599-3333, for instance, can be\r\nfound on the main page of the KakaoBank official website.\r\nhttps://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/\r\nPage 1 of 5\n\nThe Trojan imitates the KB (left) and KakaoBank (right) banking apps\r\nWhen installed, the Trojan immediately requests a whole host of permissions, including access to contacts,\r\nmicrophone and camera, geolocation, call handling, and so on.\r\nCalling the bank\r\nUnlike other banking Trojans, Fakecalls can imitate phone conversations with customer support. If the victim calls\r\nthe bank’s hotline, the Trojan discreetly breaks the connection and opens its own fake call screen instead of the\r\nregular calling app. The call appears to be normal, but in fact the attackers are now in control.\r\nThe only thing that might give away the Trojan at this stage is the fake call screen. Fakecalls has only one\r\ninterface language: Korean. This means that if another system language is selected on the phone — say, English\r\n— the victim will likely smell a rat.\r\nhttps://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/\r\nPage 2 of 5\n\nAfter the call is intercepted, there are two possible scenarios. In the first, Fakecalls connects the victim directly\r\nwith the cybercriminals, since the app has permission to make outgoing calls. In the second, the Trojan plays\r\nprerecorded audio imitating the standard greeting from the bank.\r\nhttps://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/\r\nPage 3 of 5\n\nFakecalls code fragment that plays prerecorded audio during an outgoing call\r\nSo that the Trojan maintains a realistic dialogue with the victim, the cybercriminals have recorded several phrases\r\n(in Korean) typically uttered by voicemail or call-center employees. For example, the victim might hear\r\nsomething like this: “Hello. Thank you for calling KakaoBank. Our call center is currently receiving an unusually\r\nlarge volume of calls. A consultant will speak to you as soon as possible. \u003c...\u003e To improve the quality of the\r\nservice, your conversation will be recorded.” Or: “Welcome to Kookmin Bank. Your conversation will be\r\nrecorded. We will now connect you with an operator.”\r\nAfter that, the attackers, under the guise of a bank employee, can try to coax payment data or other confidential\r\ninformation out of the victim.\r\nBesides outgoing calls, Fakecalls can spoof incoming calls as well. When the cybercriminals want to contact the\r\nvictim, the Trojan displays its own screen over the system one. As a result, the user sees not the real number used\r\nhttps://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/\r\nPage 4 of 5\n\nby the cybercriminals, but the one shown by the Trojan, such as the phone number of the bank’s support service.\r\nSpyware toolkit\r\nIn addition to mimicking telephone customer support, Fakecalls has features more typical of banking Trojans. For\r\nexample, at the attackers’ command, the malware can turn on the victim’s phone’s microphone and send\r\nrecordings from it to their server, as well as secretly broadcast audio and video from the phone in real time.\r\nThat’s not all. Remember the permissions the Trojan asked for during installation? The cybercriminals can use\r\nthem to determine the device’s location, copy the contacts list or files (including photos and videos) from the\r\nphone to their server, and access the call and text message history.\r\nThese permissions allow the malware not only to spy on the user, but to control their device to a certain extent,\r\ngiving the Trojan the ability to drop incoming calls and delete them from the history. This allows the scammers,\r\namong other things, to block and hide real calls from banks.\r\nKaspersky solutions detect this malware with the verdict Trojan-Banker.AndroidOS.Fakecalls, and safeguards the\r\ndevice.\r\nHow to stay protected\r\nTo prevent your personal data and money from falling into cybercriminal hands, follow these simple tips:\r\nDownload apps only from official stores and do not allow installations from unknown sources. Official\r\nstores run checks on all programs, and even if malware still sneaks in, it usually gets promptly removed.\r\nPay attention to what permissions apps ask for and whether they really need them. Don’t be afraid to deny\r\npermissions, especially potentially dangerous ones like access to calls, text messages, accessibility and so\r\non.\r\nNever give confidential information over the phone. Real bank employees will never ask for your online\r\nbanking login credentials, PIN, card security code or confirmation codes from text messages. If in doubt,\r\ngo to the bank’s official website and find out what employees can and cannot ask about.\r\nInstall a robust solution that protects all your devices from banking Trojans and other malware.\r\nSource: https://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/\r\nhttps://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/"
	],
	"report_names": [
		"30379"
	],
	"threat_actors": [],
	"ts_created_at": 1775433981,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88ab7ca09cfc625038ec2955aa33b9cd71f98dba.pdf",
		"text": "https://archive.orkl.eu/88ab7ca09cfc625038ec2955aa33b9cd71f98dba.txt",
		"img": "https://archive.orkl.eu/88ab7ca09cfc625038ec2955aa33b9cd71f98dba.jpg"
	}
}