WEBVTT

1
00:00:01.600 --> 00:00:11.759
Produced by PI Media. Hi,
I'm rand Levy. Welcome to CEP Radio.

2
00:00:12.599 --> 00:00:17.039
Have you ever received a phone call
from a robot that was just such

3
00:00:17.160 --> 00:00:23.199
an obvious scam? Hello? Owner
of household? You have been approved for

4
00:00:23.280 --> 00:00:29.000
a low interest to mortgage or something
like that. It's almost offensive. If

5
00:00:29.039 --> 00:00:32.799
you're gonna try to trick me,
at least put in a little effort,

6
00:00:32.960 --> 00:00:37.960
you know. Maybe it's because in
America or Europe or wherever you live,

7
00:00:38.320 --> 00:00:43.079
there are so many people to scam, so many numbers to autodial, that

8
00:00:43.200 --> 00:00:47.920
criminals don't need to be all of
that talented to pick up a few gullible

9
00:00:48.000 --> 00:00:56.719
stragglers. Or maybe it's the same
logic behind Nigerian Prince emails. Years ago,

10
00:00:56.920 --> 00:01:03.039
a Microsoft researcher wrote how sounding like
a scammer quote is an advantage to

11
00:01:03.079 --> 00:01:07.079
the attacker, not a disadvantage.
Since his attack has a low density of

12
00:01:07.200 --> 00:01:14.840
victims, the Nigerian scammer has an
overriding need to reduce false positives. By

13
00:01:14.920 --> 00:01:19.239
sending an email that repels all but
the most gullible, the scammer gets the

14
00:01:19.319 --> 00:01:26.079
most promising marks to self select and
tilts the true to false positive ratio in

15
00:01:26.159 --> 00:01:32.319
his favor. End quote. But
for all the stupid spam out there,

16
00:01:32.719 --> 00:01:38.599
there exists a small percentage which is
legitimately worrying for even rational people. You

17
00:01:38.680 --> 00:01:44.040
might have encountered it yourself, especially
if you live in a place like South

18
00:01:44.159 --> 00:01:49.799
Korea. According to a report published
by the Korean government, scam calls,

19
00:01:49.920 --> 00:01:56.120
or what we might refer to as
voice fishing compromise nearly two hundred Korean citizens

20
00:01:56.120 --> 00:02:00.840
every day, around one hundred and
seventy thousand people in our between two sixteen

21
00:02:01.079 --> 00:02:07.159
and twenty twenty, with average financial
losses around eight thousand, five hundred dollars

22
00:02:07.199 --> 00:02:13.599
worth of Korean one. We're talking
about a total of around a billion US

23
00:02:13.680 --> 00:02:20.280
dollars racked in by scammers in just
half a decade. If it's that successful

24
00:02:20.479 --> 00:02:25.319
in just one country, surely they're
doing something right and there's more substance to

25
00:02:25.479 --> 00:02:32.280
these attacks than what you might be
used to. This episode is about one

26
00:02:32.319 --> 00:02:38.479
of those campaigns affecting everyday Koreans right
now, called fake called, and what

27
00:02:38.599 --> 00:02:44.199
it might have to show us about
cybersecurity in our part of the world as

28
00:02:44.240 --> 00:02:51.599
well to help us. Is Raman
Ladutzka. I'm a part of Checkpoint Research

29
00:02:51.719 --> 00:02:57.759
team and I'm involved into different tasks. Mainly its smallware research, but from

30
00:02:57.840 --> 00:03:02.039
time to time it may be other
investigations. And right now we will speak

31
00:03:02.080 --> 00:03:10.039
about the latest research conducted by Bogdan
and me Old Faith Call and Bodan Melnikov.

32
00:03:10.439 --> 00:03:15.000
Okay, so I'm Bogdan, I'm
working at the checkpoint as Malory Sacher,

33
00:03:15.439 --> 00:03:21.319
I'm trying to save the world by
analyzing the Municia samples, whereas application

34
00:03:21.439 --> 00:03:24.680
try and extract the interesting data from
it. And that's pretty much it.

35
00:03:25.080 --> 00:03:30.439
We begin with a regular Korean citizen
going about their life when they come across

36
00:03:30.599 --> 00:03:37.240
a loan offer online on a website
or in their inbox, download this app

37
00:03:37.360 --> 00:03:42.039
to take advantage of this offer,
and so on. The application looks like

38
00:03:42.360 --> 00:03:46.560
well, a legal bunking application.
Maybe a loan offer would seem a little

39
00:03:46.639 --> 00:03:51.960
fishy, but it's coming from their
bank. The funds, the logos,

40
00:03:52.120 --> 00:03:57.840
language and everything are all recognizable.
At this point, we might consider this

41
00:03:57.960 --> 00:04:02.280
person I'm lucky. In Korea,
seven banks manage between two hundred and seventy

42
00:04:02.280 --> 00:04:09.080
five and five hundred trillion one and
another dozen manage between one hundred and one

43
00:04:09.120 --> 00:04:15.240
hundred trillion, and efficient hacker might
try to scam customers of the biggest bank

44
00:04:15.680 --> 00:04:19.680
or the second biggest to try and
have the highest rate of victims possible.

45
00:04:20.199 --> 00:04:27.000
But with twenty options available, one
person has a pretty good chance of not

46
00:04:27.199 --> 00:04:31.839
being included in that bunch. In
reality, though it has nothing to do

47
00:04:32.040 --> 00:04:36.720
with luck. The Melor apparators generates
a lot of various version of the melbore

48
00:04:36.920 --> 00:04:45.000
that has the like interface in popular
bands. One trusion with over twenty interfaces

49
00:04:45.120 --> 00:04:50.480
a display for everyone, no matter
whom you're banking with. It may ask

50
00:04:50.600 --> 00:04:56.680
the user what the band uses.
Because the Melba actors generates a lot of

51
00:04:56.839 --> 00:05:01.319
variants of application to target various banks, and then it just install this application

52
00:05:01.399 --> 00:05:05.040
to get the loan. It looks
pretty legit for it. You see that

53
00:05:05.160 --> 00:05:12.399
it's from the some specific bank.
Remarkably, the app too looks pretty good.

54
00:05:13.519 --> 00:05:18.399
So when a victim installs this application
on his or her device or she

55
00:05:18.480 --> 00:05:25.079
gets an impression that this application is
a real banking application and it is able

56
00:05:25.120 --> 00:05:30.800
to perform the same operations to get
the data they need, the attackers dangle

57
00:05:31.000 --> 00:05:39.079
that loan offer the fake loan offers
which offer lower interest RAITs in comparison to

58
00:05:39.959 --> 00:05:46.160
South Korean banks and financial institutions,
and this is the main reason why victim

59
00:05:46.399 --> 00:05:54.839
will accept this offer and hopefully formalware
attackers continue this attack chain. So what

60
00:05:55.000 --> 00:06:00.079
happens exactly after the victim accepts this
fake loan offer may vary from version to

61
00:06:00.240 --> 00:06:05.319
version. In general, they're just
trying to ask some information like name,

62
00:06:05.439 --> 00:06:12.160
contact, where you're working, your
salary, require amount, a d number,

63
00:06:12.519 --> 00:06:17.879
and then operates with this information all
the information you'd expect to have to

64
00:06:17.920 --> 00:06:24.480
give in order to receive a loan, a kind of facade of legitimacy when

65
00:06:24.639 --> 00:06:29.759
in the end where the hackers really
want our credit card numbers. In some

66
00:06:29.839 --> 00:06:36.279
cases the apps outright ask for it. The user has to input these or

67
00:06:36.279 --> 00:06:43.680
her credit card details like sensitive data, and this is the whole point of

68
00:06:43.759 --> 00:06:48.639
this mimicking. In other cases,
to keep up the facade of a legitimate

69
00:06:48.720 --> 00:06:56.560
loan opportunity, there are more steps
involved. For example, some pre recorded

70
00:06:56.639 --> 00:07:00.360
audio tracks may be launched, and
so the victim will get an impression of

71
00:07:00.399 --> 00:07:06.279
speaking with an automated machine from the
bank, which gives an instruction to left

72
00:07:06.319 --> 00:07:12.759
credit card details, to input these
details into some form and then send it

73
00:07:12.839 --> 00:07:18.480
to the presumable bank or something like
this. People are less receptive to automated

74
00:07:18.560 --> 00:07:24.600
calls, as we've already discussed,
so for better results, the hackers pick

75
00:07:24.680 --> 00:07:30.240
up the phones themselves and then the
victim will speak with a real person who

76
00:07:30.279 --> 00:07:34.360
will be of course an alway operator. The interesting thing about it is the

77
00:07:34.480 --> 00:07:42.680
application helps attacker to fall the user
by placing like showing the not the real

78
00:07:42.759 --> 00:07:46.279
number, but the number of the
number that related to the bank, specific

79
00:07:46.319 --> 00:07:51.360
bank. It's worth remembering throughout the
scam just how far the attackers are going

80
00:07:51.399 --> 00:07:57.680
to keep up appearances a fake application
that looks like the real thing and is

81
00:07:57.839 --> 00:08:03.199
fully operational, and this stage phone
calls with actual human beings coming from the

82
00:08:03.360 --> 00:08:09.360
targeted bank's actual phone number. How
do they even do that? It has

83
00:08:09.439 --> 00:08:16.839
like a call listener in the application
that's analyzed the incoming enough phone number,

84
00:08:16.160 --> 00:08:20.560
and if it's interesting to it,
like it's their phone number, they can

85
00:08:20.600 --> 00:08:26.319
replace it with the bank number.
There are other ways to mask the attackers

86
00:08:26.399 --> 00:08:31.919
number as a legitimate one, at
least theoretically they may shows they draw the

87
00:08:33.039 --> 00:08:39.759
specific images of the stock dialer in
some songholgophones and just to full the victim.

88
00:08:39.039 --> 00:08:46.559
Also, it may replace the phone
call slogs information just to again if

89
00:08:46.600 --> 00:08:50.399
you'll use a relopen the call history, you'll see, oh, it was

90
00:08:50.440 --> 00:08:54.679
a real band corporator. Else,
it may modify the contacts in your phone

91
00:08:54.720 --> 00:09:00.279
book to just again to verify that
this was a legal call, and so

92
00:09:00.440 --> 00:09:05.360
on. In all, Fake Calls
is some of the most multifunctional malware you'll

93
00:09:05.360 --> 00:09:09.759
ever see. We haven't even mentioned, for example, its ability to capture

94
00:09:09.919 --> 00:09:16.200
live audio and video streams from the
device's microphone and either it's front or back

95
00:09:16.320 --> 00:09:24.080
camera streaming that data straight to the
attackers see two servers. Perhaps Fake Calls

96
00:09:24.240 --> 00:09:30.840
has to be this good to distinguish
itself in an already fruitful underground voice fishing

97
00:09:30.960 --> 00:09:37.600
industry. So this market is very
profitable for the attacks, and this team

98
00:09:37.720 --> 00:09:43.679
is very effective. So fake Calls
just takes the best of this world and

99
00:09:43.799 --> 00:09:50.440
tries to reimplement what was already established
some time ago in South Korea and the

100
00:09:50.679 --> 00:09:54.960
nor Melors Android mother that are the
same. Okay, So this is the

101
00:09:54.000 --> 00:09:58.279
first kind of attack that we've were
aware of in the cybersecurity space. Like

102
00:09:58.360 --> 00:10:03.320
it because interesting of itself. Yeah, that's why the fake course is pretty

103
00:10:03.320 --> 00:10:09.480
interesting internalized because there are a lot
of various bankers that are able to steal

104
00:10:09.559 --> 00:10:16.240
the data, send text messages from
the device redentification, but like playing some

105
00:10:16.440 --> 00:10:22.039
voices for the user stream your camera
to their SARO. It's pretty unique technique.

106
00:10:22.360 --> 00:10:26.879
It wasn't used before. Researchers at
Kaspersky first published details of the Fake

107
00:10:28.000 --> 00:10:33.200
Carl's malware campaign about a year ago. In the time since, the attackers

108
00:10:33.279 --> 00:10:39.080
have been constantly improving upon their capabilities. The militias actors generates a lot of

109
00:10:39.120 --> 00:10:45.639
application every day and according to the
code, they always evolved. They started

110
00:10:45.679 --> 00:10:48.200
from the story and set seeing see
for example and a resource file. Then

111
00:10:48.240 --> 00:10:54.559
they decided to place into the code
and encrypted defis. Then the key was

112
00:10:54.600 --> 00:10:58.480
located in the resources, then in
the code. Then they decided to go

113
00:10:58.559 --> 00:11:03.759
to the droppers, so they started
from the using the GitHub as the such

114
00:11:03.879 --> 00:11:07.360
mirror web based to reach to the
Google Drive. So they're always trying to

115
00:11:07.399 --> 00:11:15.080
improve the mailer and generate more samples. More samples means that the trusion can

116
00:11:15.120 --> 00:11:20.279
continue to stay under the radar.
Once anti virus programs pick up on their

117
00:11:20.360 --> 00:11:24.799
scent, they're already wearing a new
perfume. In fact, the fake Calls

118
00:11:24.879 --> 00:11:31.200
hackers have implemented a new suite of
mechanisms designed to evade detection by the victim

119
00:11:31.600 --> 00:11:37.559
by any anti virus software they may
have running and by security researchers themselves.

120
00:11:37.960 --> 00:11:43.759
First of all, they are trying
to add the antiiors and techniques that will

121
00:11:43.879 --> 00:11:50.840
break the logical virus engines that will
fail under application analysis. The second thing

122
00:11:50.960 --> 00:11:58.120
that they crowd the apparent application that
has almost no permissions and create the real

123
00:11:58.240 --> 00:12:03.679
malicious application the sets folder. So
if the some antivirus will analyze the application,

124
00:12:03.840 --> 00:12:09.120
he'll see that there is no almost
no permission and nothing will worry about.

125
00:12:09.120 --> 00:12:15.120
And finally, when the user will
style this payload that contains all the

126
00:12:15.559 --> 00:12:20.799
malicious functionality, it will start into
the collecting the data from the user device

127
00:12:20.879 --> 00:12:26.639
and it will be too late to
block like to detect this measure before the

128
00:12:26.720 --> 00:12:31.600
installation. Yeah, but so basically, if the user may try to check

129
00:12:31.639 --> 00:12:37.159
the application on some sites, it
will see that application is legit. But

130
00:12:37.759 --> 00:12:41.919
if you don't have any like antivirus
and start on their device, it will

131
00:12:41.960 --> 00:12:46.200
be not able to understand that the
some an other application inside this application that

132
00:12:46.240 --> 00:12:50.879
we've been stalled despite a year in
the wild, and who knows how many

133
00:12:50.960 --> 00:12:58.840
victims compromised. So many questions about
fake calls still remain unanswered. We suppose

134
00:13:00.000 --> 00:13:03.200
that there is only one operator behind
this malware. It's not widely spread,

135
00:13:03.440 --> 00:13:09.519
it's not available for rent or something
like this. So this is the malware

136
00:13:09.639 --> 00:13:13.639
that is used to buy them all
ware operators for themselves. But we cannot

137
00:13:13.679 --> 00:13:18.399
really say who is behind it.
It may be governmental attack from the other

138
00:13:18.480 --> 00:13:22.799
country. It may be just a
private attempt to gather as much funny as

139
00:13:22.799 --> 00:13:28.759
possible. And in order to say
this, we have to cooperate with various

140
00:13:28.759 --> 00:13:33.799
security institutions, maybe even legal enforcement
power to investigate further, because according to

141
00:13:33.799 --> 00:13:39.240
all sources, we're not able to
say with more precision. As long as

142
00:13:39.279 --> 00:13:46.080
the attackers keep evading governments and cyber
researchers, and as long as these attacks

143
00:13:46.159 --> 00:13:50.879
remain as effective as they are,
more hackers will likely adopt these same tactics,

144
00:13:52.200 --> 00:13:56.080
and the problem will grow and spread, likely to a country near you.

145
00:13:58.399 --> 00:14:01.639
As we see, the smarket is
still profitable, the malware is still

146
00:14:01.840 --> 00:14:07.279
lurking there. The new versions of
fay Call's malware still appear, and so

147
00:14:09.200 --> 00:14:16.279
the text continue be aware the next
time you pick up the phone. That's

148
00:14:16.279 --> 00:14:20.279
it for this episode. Thank you
for listening. For past episodes of the

149
00:14:20.320 --> 00:14:26.639
podcast, visit Checkpoint Research blog at
research dot checkpoint dot com, and you

150
00:14:26.679 --> 00:14:31.320
can follow Checkpoint Research on Twitter or
follow me at rand lev at Ri n

151
00:14:31.639 --> 00:14:37.879
l e v I CP Medio is
produced by PI Media, written by eMate

152
00:14:37.960 --> 00:14:43.000
Neilson, produced by Hila Shmish,
and edited and narrated by Rand Levy.

153
00:14:43.360 --> 00:14:46.480
See you next episode, Bye bye,