Keypoints
- TheftCRow is identified by S2W’s TALON team as a voice-phishing distribution organization targeting users with fake sites.
- Operators create phishing sites impersonating legitimate institutions and frequently used Korean apps to deceive victims into installing malware.
- TheftCalls Loader is used to coerce installation of the main malicious app, TheftCalls.
- TheftCalls can force call connections, record calls, stream audio and video in real time, and modify call logs without user consent.
- The group uses multiple phishing themes and sites to widen their reach and increase success rates.
- They employ techniques to evade detection and actively discover or remove security apps from infected devices.
MITRE Techniques
- [T1660] Initial Access – Phishing is used to deliver malicious applications and gain access to victim devices. (‘Phishing to gain access to victim devices.’)
- [T1398] Persistence – The malware maintains presence using boot or logon initialization mechanisms. (‘Using boot or logon initialization scripts to maintain presence.’)
- [T1629.001] Defense Evasion – The apps prevent removal to evade detection and persistence. (‘Preventing application removal to evade detection.’)
- [T1655.001] Defense Evasion – The malware matches legitimate names or locations to avoid raising user suspicion. (‘Matching legitimate names or locations to avoid suspicion.’)
- [T1406] Defense Evasion – Files and information are obfuscated to conceal malicious activity. (‘Obfuscating files or information to conceal malicious activities.’)
- [T1418.001] Discovery – The malware scans for security software to disable or bypass it. (‘Discovering security software to disable or bypass it.’)
- [T1429] Collection – The malicious apps capture audio from calls and the device environment. (‘Capturing audio through malicious applications.’)
- [T1437.001] Command and Control – Web protocols are used for communication with C2 servers. (‘Utilizing web protocols for communication with C2 servers.’)
- [T1646] Exfiltration – Stolen data is sent out over established C2 channels. (‘Exfiltrating data over C2 channels.’)
- [T1641] Data Manipulation – The malware alters call logs and recordings to hide or manipulate evidence. (‘Manipulating data such as call logs and recordings.’)
Indicators of Compromise
- [File hash] Malware samples – TheftCalls Loader: c097468c21c2c0661…bed (long hash), TheftCalls: eac60d6754173230c…619 (long hash)
- [Network C&C Server] Command-and-control URLs – hxxp://ppnwhbjy.agbrexi9ohfrx53m.com/web/OBQ/interface.html, hxxp://f6ewdnfmffcxwbvses[.]com:8388, and 1 other C2 URL
- [WebView URL] Phishing landing page (example shown in Korean-themed interface) – hxxp://fnqh5qar.jbuvx6cshyvug9kk[.]com/web/OBQ/interface.html (labeled “시티즌코난”)
The TheftCRow campaign uses professional-looking phishing sites that impersonate trusted services to trick users into installing two-stage Android malware. Attackers deploy TheftCalls Loader to push the main TheftCalls app, which then gains extensive control: forcing call connections, recording and streaming audio/video, and editing call logs to hide traces. Operators also scan for and remove security apps and use obfuscation and persistence techniques to remain on devices and communicate with remote C2 servers.
S2W’s TALON team highlights multiple phishing themes and C2 infrastructure used in this campaign, providing hashes and URLs for detection and response. Organizations and users should treat unsolicited links and app installs with caution, verify app sources, and monitor for the listed IoCs to limit exposure.