1
00:00:01,600 --> 00:00:11,759
Produced by PI Media. Hi,
I'm rand Levy. Welcome to CEP Radio.

2
00:00:12,599 --> 00:00:17,039
Have you ever received a phone call
from a robot that was just such

3
00:00:17,160 --> 00:00:23,199
an obvious scam? Hello? Owner
of household? You have been approved for

4
00:00:23,280 --> 00:00:29,000
a low interest to mortgage or something
like that. It's almost offensive. If

5
00:00:29,039 --> 00:00:32,799
you're gonna try to trick me,
at least put in a little effort,

6
00:00:32,960 --> 00:00:37,960
you know. Maybe it's because in
America or Europe or wherever you live,

7
00:00:38,320 --> 00:00:43,079
there are so many people to scam, so many numbers to autodial, that

8
00:00:43,200 --> 00:00:47,920
criminals don't need to be all of
that talented to pick up a few gullible

9
00:00:48,000 --> 00:00:56,719
stragglers. Or maybe it's the same
logic behind Nigerian Prince emails. Years ago,

10
00:00:56,920 --> 00:01:03,039
a Microsoft researcher wrote how sounding like
a scammer quote is an advantage to

11
00:01:03,079 --> 00:01:07,079
the attacker, not a disadvantage.
Since his attack has a low density of

12
00:01:07,200 --> 00:01:14,840
victims, the Nigerian scammer has an
overriding need to reduce false positives. By

13
00:01:14,920 --> 00:01:19,239
sending an email that repels all but
the most gullible, the scammer gets the

14
00:01:19,319 --> 00:01:26,079
most promising marks to self select and
tilts the true to false positive ratio in

15
00:01:26,159 --> 00:01:32,319
his favor. End quote. But
for all the stupid spam out there,

16
00:01:32,719 --> 00:01:38,599
there exists a small percentage which is
legitimately worrying for even rational people. You

17
00:01:38,680 --> 00:01:44,040
might have encountered it yourself, especially
if you live in a place like South

18
00:01:44,159 --> 00:01:49,799
Korea. According to a report published
by the Korean government, scam calls,

19
00:01:49,920 --> 00:01:56,120
or what we might refer to as
voice fishing compromise nearly two hundred Korean citizens

20
00:01:56,120 --> 00:02:00,840
every day, around one hundred and
seventy thousand people in our between two sixteen

21
00:02:01,079 --> 00:02:07,159
and twenty twenty, with average financial
losses around eight thousand, five hundred dollars

22
00:02:07,199 --> 00:02:13,599
worth of Korean one. We're talking
about a total of around a billion US

23
00:02:13,680 --> 00:02:20,280
dollars racked in by scammers in just
half a decade. If it's that successful

24
00:02:20,479 --> 00:02:25,319
in just one country, surely they're
doing something right and there's more substance to

25
00:02:25,479 --> 00:02:32,280
these attacks than what you might be
used to. This episode is about one

26
00:02:32,319 --> 00:02:38,479
of those campaigns affecting everyday Koreans right
now, called fake called, and what

27
00:02:38,599 --> 00:02:44,199
it might have to show us about
cybersecurity in our part of the world as

28
00:02:44,240 --> 00:02:51,599
well to help us. Is Raman
Ladutzka. I'm a part of Checkpoint Research

29
00:02:51,719 --> 00:02:57,759
team and I'm involved into different tasks. Mainly its smallware research, but from

30
00:02:57,840 --> 00:03:02,039
time to time it may be other
investigations. And right now we will speak

31
00:03:02,080 --> 00:03:10,039
about the latest research conducted by Bogdan
and me Old Faith Call and Bodan Melnikov.

32
00:03:10,439 --> 00:03:15,000
Okay, so I'm Bogdan, I'm
working at the checkpoint as Malory Sacher,

33
00:03:15,439 --> 00:03:21,319
I'm trying to save the world by
analyzing the Municia samples, whereas application

34
00:03:21,439 --> 00:03:24,680
try and extract the interesting data from
it. And that's pretty much it.

35
00:03:25,080 --> 00:03:30,439
We begin with a regular Korean citizen
going about their life when they come across

36
00:03:30,599 --> 00:03:37,240
a loan offer online on a website
or in their inbox, download this app

37
00:03:37,360 --> 00:03:42,039
to take advantage of this offer,
and so on. The application looks like

38
00:03:42,360 --> 00:03:46,560
well, a legal bunking application.
Maybe a loan offer would seem a little

39
00:03:46,639 --> 00:03:51,960
fishy, but it's coming from their
bank. The funds, the logos,

40
00:03:52,120 --> 00:03:57,840
language and everything are all recognizable.
At this point, we might consider this

41
00:03:57,960 --> 00:04:02,280
person I'm lucky. In Korea,
seven banks manage between two hundred and seventy

42
00:04:02,280 --> 00:04:09,080
five and five hundred trillion one and
another dozen manage between one hundred and one

43
00:04:09,120 --> 00:04:15,240
hundred trillion, and efficient hacker might
try to scam customers of the biggest bank

44
00:04:15,680 --> 00:04:19,680
or the second biggest to try and
have the highest rate of victims possible.

45
00:04:20,199 --> 00:04:27,000
But with twenty options available, one
person has a pretty good chance of not

46
00:04:27,199 --> 00:04:31,839
being included in that bunch. In
reality, though it has nothing to do

47
00:04:32,040 --> 00:04:36,720
with luck. The Melor apparators generates
a lot of various version of the melbore

48
00:04:36,920 --> 00:04:45,000
that has the like interface in popular
bands. One trusion with over twenty interfaces

49
00:04:45,120 --> 00:04:50,480
a display for everyone, no matter
whom you're banking with. It may ask

50
00:04:50,600 --> 00:04:56,680
the user what the band uses.
Because the Melba actors generates a lot of

51
00:04:56,839 --> 00:05:01,319
variants of application to target various banks, and then it just install this application

52
00:05:01,399 --> 00:05:05,040
to get the loan. It looks
pretty legit for it. You see that

53
00:05:05,160 --> 00:05:12,399
it's from the some specific bank.
Remarkably, the app too looks pretty good.

54
00:05:13,519 --> 00:05:18,399
So when a victim installs this application
on his or her device or she

55
00:05:18,480 --> 00:05:25,079
gets an impression that this application is
a real banking application and it is able

56
00:05:25,120 --> 00:05:30,800
to perform the same operations to get
the data they need, the attackers dangle

57
00:05:31,000 --> 00:05:39,079
that loan offer the fake loan offers
which offer lower interest RAITs in comparison to

58
00:05:39,959 --> 00:05:46,160
South Korean banks and financial institutions,
and this is the main reason why victim

59
00:05:46,399 --> 00:05:54,839
will accept this offer and hopefully formalware
attackers continue this attack chain. So what

60
00:05:55,000 --> 00:06:00,079
happens exactly after the victim accepts this
fake loan offer may vary from version to

61
00:06:00,240 --> 00:06:05,319
version. In general, they're just
trying to ask some information like name,

62
00:06:05,439 --> 00:06:12,160
contact, where you're working, your
salary, require amount, a d number,

63
00:06:12,519 --> 00:06:17,879
and then operates with this information all
the information you'd expect to have to

64
00:06:17,920 --> 00:06:24,480
give in order to receive a loan, a kind of facade of legitimacy when

65
00:06:24,639 --> 00:06:29,759
in the end where the hackers really
want our credit card numbers. In some

66
00:06:29,839 --> 00:06:36,279
cases the apps outright ask for it. The user has to input these or

67
00:06:36,279 --> 00:06:43,680
her credit card details like sensitive data, and this is the whole point of

68
00:06:43,759 --> 00:06:48,639
this mimicking. In other cases,
to keep up the facade of a legitimate

69
00:06:48,720 --> 00:06:56,560
loan opportunity, there are more steps
involved. For example, some pre recorded

70
00:06:56,639 --> 00:07:00,360
audio tracks may be launched, and
so the victim will get an impression of

71
00:07:00,399 --> 00:07:06,279
speaking with an automated machine from the
bank, which gives an instruction to left

72
00:07:06,319 --> 00:07:12,759
credit card details, to input these
details into some form and then send it

73
00:07:12,839 --> 00:07:18,480
to the presumable bank or something like
this. People are less receptive to automated

74
00:07:18,560 --> 00:07:24,600
calls, as we've already discussed,
so for better results, the hackers pick

75
00:07:24,680 --> 00:07:30,240
up the phones themselves and then the
victim will speak with a real person who

76
00:07:30,279 --> 00:07:34,360
will be of course an alway operator. The interesting thing about it is the

77
00:07:34,480 --> 00:07:42,680
application helps attacker to fall the user
by placing like showing the not the real

78
00:07:42,759 --> 00:07:46,279
number, but the number of the
number that related to the bank, specific

79
00:07:46,319 --> 00:07:51,360
bank. It's worth remembering throughout the
scam just how far the attackers are going

80
00:07:51,399 --> 00:07:57,680
to keep up appearances a fake application
that looks like the real thing and is

81
00:07:57,839 --> 00:08:03,199
fully operational, and this stage phone
calls with actual human beings coming from the

82
00:08:03,360 --> 00:08:09,360
targeted bank's actual phone number. How
do they even do that? It has

83
00:08:09,439 --> 00:08:16,839
like a call listener in the application
that's analyzed the incoming enough phone number,

84
00:08:16,160 --> 00:08:20,560
and if it's interesting to it,
like it's their phone number, they can

85
00:08:20,600 --> 00:08:26,319
replace it with the bank number.
There are other ways to mask the attackers

86
00:08:26,399 --> 00:08:31,919
number as a legitimate one, at
least theoretically they may shows they draw the

87
00:08:33,039 --> 00:08:39,759
specific images of the stock dialer in
some songholgophones and just to full the victim.

88
00:08:39,039 --> 00:08:46,559
Also, it may replace the phone
call slogs information just to again if

89
00:08:46,600 --> 00:08:50,399
you'll use a relopen the call history, you'll see, oh, it was

90
00:08:50,440 --> 00:08:54,679
a real band corporator. Else,
it may modify the contacts in your phone

91
00:08:54,720 --> 00:09:00,279
book to just again to verify that
this was a legal call, and so

92
00:09:00,440 --> 00:09:05,360
on. In all, Fake Calls
is some of the most multifunctional malware you'll

93
00:09:05,360 --> 00:09:09,759
ever see. We haven't even mentioned, for example, its ability to capture

94
00:09:09,919 --> 00:09:16,200
live audio and video streams from the
device's microphone and either it's front or back

95
00:09:16,320 --> 00:09:24,080
camera streaming that data straight to the
attackers see two servers. Perhaps Fake Calls

96
00:09:24,240 --> 00:09:30,840
has to be this good to distinguish
itself in an already fruitful underground voice fishing

97
00:09:30,960 --> 00:09:37,600
industry. So this market is very
profitable for the attacks, and this team

98
00:09:37,720 --> 00:09:43,679
is very effective. So fake Calls
just takes the best of this world and

99
00:09:43,799 --> 00:09:50,440
tries to reimplement what was already established
some time ago in South Korea and the

100
00:09:50,679 --> 00:09:54,960
nor Melors Android mother that are the
same. Okay, So this is the

101
00:09:54,000 --> 00:09:58,279
first kind of attack that we've were
aware of in the cybersecurity space. Like

102
00:09:58,360 --> 00:10:03,320
it because interesting of itself. Yeah, that's why the fake course is pretty

103
00:10:03,320 --> 00:10:09,480
interesting internalized because there are a lot
of various bankers that are able to steal

104
00:10:09,559 --> 00:10:16,240
the data, send text messages from
the device redentification, but like playing some

105
00:10:16,440 --> 00:10:22,039
voices for the user stream your camera
to their SARO. It's pretty unique technique.

106
00:10:22,360 --> 00:10:26,879
It wasn't used before. Researchers at
Kaspersky first published details of the Fake

107
00:10:28,000 --> 00:10:33,200
Carl's malware campaign about a year ago. In the time since, the attackers

108
00:10:33,279 --> 00:10:39,080
have been constantly improving upon their capabilities. The militias actors generates a lot of

109
00:10:39,120 --> 00:10:45,639
application every day and according to the
code, they always evolved. They started

110
00:10:45,679 --> 00:10:48,200
from the story and set seeing see
for example and a resource file. Then

111
00:10:48,240 --> 00:10:54,559
they decided to place into the code
and encrypted defis. Then the key was

112
00:10:54,600 --> 00:10:58,480
located in the resources, then in
the code. Then they decided to go

113
00:10:58,559 --> 00:11:03,759
to the droppers, so they started
from the using the GitHub as the such

114
00:11:03,879 --> 00:11:07,360
mirror web based to reach to the
Google Drive. So they're always trying to

115
00:11:07,399 --> 00:11:15,080
improve the mailer and generate more samples. More samples means that the trusion can

116
00:11:15,120 --> 00:11:20,279
continue to stay under the radar.
Once anti virus programs pick up on their

117
00:11:20,360 --> 00:11:24,799
scent, they're already wearing a new
perfume. In fact, the fake Calls

118
00:11:24,879 --> 00:11:31,200
hackers have implemented a new suite of
mechanisms designed to evade detection by the victim

119
00:11:31,600 --> 00:11:37,559
by any anti virus software they may
have running and by security researchers themselves.

120
00:11:37,960 --> 00:11:43,759
First of all, they are trying
to add the antiiors and techniques that will

121
00:11:43,879 --> 00:11:50,840
break the logical virus engines that will
fail under application analysis. The second thing

122
00:11:50,960 --> 00:11:58,120
that they crowd the apparent application that
has almost no permissions and create the real

123
00:11:58,240 --> 00:12:03,679
malicious application the sets folder. So
if the some antivirus will analyze the application,

124
00:12:03,840 --> 00:12:09,120
he'll see that there is no almost
no permission and nothing will worry about.

125
00:12:09,120 --> 00:12:15,120
And finally, when the user will
style this payload that contains all the

126
00:12:15,559 --> 00:12:20,799
malicious functionality, it will start into
the collecting the data from the user device

127
00:12:20,879 --> 00:12:26,639
and it will be too late to
block like to detect this measure before the

128
00:12:26,720 --> 00:12:31,600
installation. Yeah, but so basically, if the user may try to check

129
00:12:31,639 --> 00:12:37,159
the application on some sites, it
will see that application is legit. But

130
00:12:37,759 --> 00:12:41,919
if you don't have any like antivirus
and start on their device, it will

131
00:12:41,960 --> 00:12:46,200
be not able to understand that the
some an other application inside this application that

132
00:12:46,240 --> 00:12:50,879
we've been stalled despite a year in
the wild, and who knows how many

133
00:12:50,960 --> 00:12:58,840
victims compromised. So many questions about
fake calls still remain unanswered. We suppose

134
00:13:00,000 --> 00:13:03,200
that there is only one operator behind
this malware. It's not widely spread,

135
00:13:03,440 --> 00:13:09,519
it's not available for rent or something
like this. So this is the malware

136
00:13:09,639 --> 00:13:13,639
that is used to buy them all
ware operators for themselves. But we cannot

137
00:13:13,679 --> 00:13:18,399
really say who is behind it.
It may be governmental attack from the other

138
00:13:18,480 --> 00:13:22,799
country. It may be just a
private attempt to gather as much funny as

139
00:13:22,799 --> 00:13:28,759
possible. And in order to say
this, we have to cooperate with various

140
00:13:28,759 --> 00:13:33,799
security institutions, maybe even legal enforcement
power to investigate further, because according to

141
00:13:33,799 --> 00:13:39,240
all sources, we're not able to
say with more precision. As long as

142
00:13:39,279 --> 00:13:46,080
the attackers keep evading governments and cyber
researchers, and as long as these attacks

143
00:13:46,159 --> 00:13:50,879
remain as effective as they are,
more hackers will likely adopt these same tactics,

144
00:13:52,200 --> 00:13:56,080
and the problem will grow and spread, likely to a country near you.

145
00:13:58,399 --> 00:14:01,639
As we see, the smarket is
still profitable, the malware is still

146
00:14:01,840 --> 00:14:07,279
lurking there. The new versions of
fay Call's malware still appear, and so

147
00:14:09,200 --> 00:14:16,279
the text continue be aware the next
time you pick up the phone. That's

148
00:14:16,279 --> 00:14:20,279
it for this episode. Thank you
for listening. For past episodes of the

149
00:14:20,320 --> 00:14:26,639
podcast, visit Checkpoint Research blog at
research dot checkpoint dot com, and you

150
00:14:26,679 --> 00:14:31,320
can follow Checkpoint Research on Twitter or
follow me at rand lev at Ri n

151
00:14:31,639 --> 00:14:37,879
l e v I CP Medio is
produced by PI Media, written by eMate

152
00:14:37,960 --> 00:14:43,000
Neilson, produced by Hila Shmish,
and edited and narrated by Rand Levy.

153
00:14:43,360 --> 00:14:46,480
See you next episode, Bye bye,