McAfee Mobile Research found a Fakecalls Android banking trojan signed with a legitimate South Korean developer signing key, allowing the malware to appear as trusted apps and evade signature-based checks. The samples use Tencent’s Legu packer, hide a secondary APK inside the assets as “introduction.html”, request installation and broad permissions, and connect to remote C2 using a push SDK for extensive remote control. #Fakecalls #LeguPacker
Keypoints
- Fakecalls samples were signed with a legitimate South Korean app signing key, enabling them to masquerade as apps from the same developer and bypass signature-based detection.
- Most malicious samples mimic banking apps (including using the same icons) and were not distributed via official app stores; McAfee disclosed the issue and the vendor replaced the signing key.
- The malware uses Tencent’s Legu packer to encrypt its malicious code; after decryption the DEX contains unexpected code that reads an APK disguised with an HTML extension from the assets directory.
- The initial dropper prompts the user to install a bundled payload (stored as “introduction.html” in assets); that payload requests multiple sensitive permissions and registers services/receivers for persistent control.
- Fakecalls uses a legitimate push SDK to receive commands from remote C2 servers; McAfee enumerated a wide command set including SMS upload, call/caller upload, call forwarding, file upload, SMS interception, call recording, and contact/file deletion.
- McAfee published IOCs including multiple SHA256 hashes and domains (e.g., o20-app.dark-app.net, o20.orange-app.today) and found active phishing pages and C2 admin pages linked to the campaign.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information – Uses Tencent’s Legu packer to encrypt its malicious code; after decryption, the DEX contains an APK disguised as HTML in the assets, as described: [‘The samples use Tencent’s Legu packer, hide a secondary APK inside the assets as introduction.html.’]
- [T1036] Masquerading – Signs with a legitimate signing key and mimics banking apps to appear trusted; [‘signed with a legitimate South Korean developer signing key, allowing the malware to appear as trusted apps’] and [‘Most malicious samples mimic banking apps (including using the same icons)’]
- [T1566] Phishing – Phishing domains/pages lure users to fake Korean banking pages; [‘phishing site disguised as a Korean banking site’]
- [T1041] Exfiltration Over C2 Channel – The malware uploads SMS, call logs, and files to a remote C2 server; [‘sms message upload’, ‘caller number upload’, ‘find all possible files and upload them’]
- [T1071] Command and Control – Uses a remote C2 server and a push SDK to receive commands; [‘receive commands from remote C2 servers’]
Indicators of Compromise
- [SHA256 hashes] Dropper and banker samples – 7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8, 60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2, and 12 more hashes.
- [Domains] Phishing/C2-related domains – http://o20-app.dark-app.net, http://o20.orange-app.today (phishing site disguised as a Korean banking site; C2 admin pages discovered).
- [File names / App names] Malicious payload and app labels – “introduction.html” (actually an APK inside assets), app names seen as 신한신청서 and 보안인증서 used to impersonate banking apps.