SK RESEARCH

Last December 2022, the Anti-Money Laundering Council (AMLC) noted a steady rise in
suspicious transactions involving phishing and hacking amounting to ₱16.4 billion over the past
decade. Domestic transactions made up 99.73% of the STRs and 50% of this are reported from
the National Capital Region (NCR), Calabarzon, Central Luzon, Central Visayas, Ilocos Region,
Davao Region, and Western Visayas, while 44.6 percent of the transaction locations are
unknown.
https://www.philstar.com/business/2022/12/26/2233253/phishing-hacking-attacks-rise-amlc/amp
/

Phishing is being listed by Philippine authorities as the top cybercrime being committed in the
country during the COVID-19 pandemic, followed by online selling scams and the spread of fake
news. But phishing schemes– where scammers hijack the identity of a trusted person or
institution in order to gain access to personal or sensitive data– is the undisputed number one
cybercrime in the archipelago.
Remote working employees and businesses are often targeted, with increasingly personalized
virtual lures. And large corporations and financial institutions are not exempt due to their
heightened cybersecurity measures, if anything they are more at risk as bad actors will often
imitate the bank or financial service to gain access to your financial information
https://techwireasia.com/2020/08/phishing-scams-dominate-the-philippines-cybercrime-landsca
pe/

Check Point Research discovered an Android Trojan called FakeCalls that can impersonate
more than 20 financial applications and conduct voice phishing attacks on the South Korean
market. Voice phishing is a type of cyber attack where the attacker impersonates a real bank
employee to trick victims into divulging sensitive information. According to a report on the South
Korean government website, voice phishing attacks led to approximately $600 million in
financial losses in 2020 and impacted over 170,000 victims between 2016 and 2020. The
FakeCalls malware possesses multiple anti-analysis techniques to evade detection and is
designed to extract private data from the victim's device. Check Point Research has published a
report describing the malware's functionality and recommending ways to stay protected from
similar threats.

The article discusses a malware sample called FakeCalls that targets financial institutions. The
malware uses unique anti-analysis techniques that make it difficult for analysis tools to process
the sample. These techniques include Multi-Disk, AndroidManifest, and Files. The article
provides technical details on each of these techniques and how they are implemented in the
malware. The malware is designed to steal private financial data from victims, and it does this
by playing pre-recorded audio tracks imitating instructions from the bank. The article suggests
that the malware is successful in achieving its goals.

The FakeCalls malware has a multi-step dropping process, where the APK is dropped through a
BroadcastReciever and launched later. It can also capture live audio and video streams from the
device's camera and send them to C&C servers. The developers implemented various ways to
hide the real C&C servers, such as using dead drop resolvers in Google Drive or arbitrary web
servers. Check Point's Harmony Mobile can prevent this malware from infiltrating mobile
devices by detecting and blocking the download of malicious apps in real-time

The Android banking trojan FakeCalls has started using legitimate app signing keys from a
popular South Korean IT company to bypass signature-based detection techniques. The trojan
disguises itself as genuine banking apps and uses stolen icons. To avoid detection, the malware
encrypts its source code using a packer. The trojan registers the infected device for several
services and establishes a connection with a C2 server to receive further instructions. The URLs
linked to the trojan were first observed in August 2022, and some are still operational. Users are
advised to download apps from official and reliable sources only to protect themselves from
FakeCalls.