Another worrying flurry of Android malware headlines this week, with a new warning that dangerous new spyware is now infecting devices. As malware goes this one is a doozy, intercepting calls, live streaming your device screen to attackers, reading, sending and deleting texts, even taking photos with your camera.
Zimperium warns that “our zLabs team has been actively tracking a new variant of a well-known malware named FakeCall.” And while prior versions of the malware have been reported by Kaspersky and ThreatFabric, the malware has now been enhanced.
At its heart though, the core focus of the attack is the same as old. FakeCall intercepts incoming and outgoing calls, with “victims tricked into calling fraudulent phone numbers controlled by the attacker.” The underlying code has been changed to make it harder to find and new features have been added—some of which are not yet live.
First things first, after you have downloaded the malicious app which then loads malware onto your phone, “the app prompts the user to set it as the default call handler. Once designated as the default call handler, the app gains the ability to manage all incoming and outgoing calls.”
So, let’s be very clear—you must never allow a new app to become the default call handler on your phone. There may be reasons to change from the default Android app, but if that’s the case you should only download a well-referenced app from a mainstream developer and only from Play Store. Not like this.
Second, the malicious FakeCall apps are all sideloaded—that means direct installs or from third-party app stores. You will be lured into the install by social media posts, texts/WhatsApps or emails. Do not take the bait.
As Zimperium explains, “by exploiting its position as the default call handler, the app can modify the dialed number, replacing it with a malicious one… deceiving users into making fraudulent calls… The malware can [also] intercept and control incoming and outgoing calls, covertly making unauthorized connections. In this case, users may be unaware until they remove the app or restart their device.”
The intent of this spyware is to steal your hard-earned money. It is waiting on your device for you to contact a known financial institution. When you do, “the malware redirects the call to a fraudulent number controlled by the attacker. The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android’s call interface showing the real bank’s phone number. The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s financial accounts.”
But if you do three things you cannot be caught out like this:
- As above, never reset the default call handler
- Do not sideload apps onto your device—even Google now warns against this
- Ensure Play Protect is enabled on your phone
Google is clamping down on sideloading and has expanded Play Protect beyond its own Play Store apps to cover those from other sources. We also expect Android 15’s new live threat detection to hit upgraded phones soon. This should monitor for this kind of malicious behavior in real time, even if an app is not yet flagged.
Mewanewhile, you can check if you have known FakeCall apps on your phone—Zimperium has provided details here. You can also ensure the default call handler has not been changed, no unexpected accessibility services permissions have been set, and Play Protect is enabled at all times.