Voice phishing groups in South Korea distribute phishing sites and malicious Android apps to trick victims into installing them and transferring money. The SecretCalls Loader, linked to the SecretCrow threat group, uses anti-analysis techniques such as emulator detection, DEX encryption, dynamic loading, and a second-stage installation to hinder investigation. #SecretCalls #SecretCrow #NationalPoliceAgency #FinancialSupervisoryService #PhishingEyes #Cybercop #GooglePlayStore
Keypoints
- Voice phishing groups operate phishing sites, distribute malicious apps, and harvest victim data to persuade app installation and fund transfers.
- SecretCalls Loader is the malware family, associated with the threat group SecretCrow, that impersonates law enforcement/financial bodies through phishing pages.
- Loader employs emulator detection, obfuscated code, DEX encryption, DEX dynamic loading, and triggers a second-stage installation to hinder analysis.
- Phishing sites disguise themselves as legitimate institutions (e.g., National Police Agency Cybercop, Phishing Eyes) and use APKs named with patterns like [A-Za-z0–9]{5}.apk.
- Attack flow: attacker calls victim to install the app, victim visits a phishing site, then a call-forwarding mechanism redirects legitimate calls to the attacker, enabling fraud.
- SecretCalls Loader relies on native libraries, AES-based DEX decryption, and context initialization to load and execute the hidden SecretCalls payload.
MITRE Techniques
- [T1575] Native API – SecretCalls Loader uses a native library for emulator detection and dex file decryption. “SecretCalls Loader uses a native library for emulator detection and dex file decryption.”
- [T1633.001] System Checks – The main activity checks if the infected device meets the conditions to be infected. “If any of the following conditions are not met, execution is aborted.”
- [T1630.002] File Deletion – SecretCalls Loader deletes phishing detection apps if installed on the infected device. “SecretCalls Loader deletes phishing detection apps if installed on the infected device.”
- [T1407] Download New Code at Runtime – The DEX files are encrypted with AES and decrypted and dynamically loaded as the app runs. “The internal files… are decrypted and dynamically loaded as the app runs.”
- [T1629.003] Disable or Modify Tools – The anti-analysis techniques include DEX Dynamic Loading, installing additional apps, initializing context, and using Native Libraries. “anti-analysis techniques, including DEX Dynamic Loading, installing additional apps, initializing context, and using Native Libraries.”
Indicators of Compromise
- [Hash] [MD5] – 2603b73c22498e6eb20c4cfae5d34850, 9ffc137696947fa52c2a1171ed971d3d, and many more hashes
- [Hash] [SHA-1] – 121b6fd9178edfd3b6422c66c3d504bee90cbe46, e24292b5d840671519b87cb076f9ced4f39191c5, and many more hashes
- [Hash] [SHA-256] – 76bb1d3fa9b8b872c01da30bfac5fe52ae89d3ca43ce0dad967bc7da0a8e7644, 2ac75296c3c537faf125543c9d386b05, and many more hashes
- [File Name] – byfg2.apk, cFuvDW.apk, and 2 more
- [IP] – 61.227.55.47, 114.44.218.84, and 36.234.40.6