Imagine if you called your bank and ended up talking to a hacker instead. An experienced attacker could trick you into sharing details like your login credentials, credit card details, or account numbers. Unfortunately, this scenario can be very real if you’ve accidentally downloaded FakeCall malware.

During the holiday season, there are many reasons to call your bank and credit card provider. When you need to check your account balance before an impromptu shopping trip or ask about a personal loan to cover the costs of hosting this year’s holiday party, your bank is only a call away. During the call, you provide personal information like your account number or other financial details because you know you’re speaking with trusted bank personnel.

What you don’t realize is that an attacker has intercepted your phone call to gain access to your sensitive financial information.

UNDERSTANDING THE DANGERS OF TROJANS

Trojans are a type of malware introduced to your device when you unintentionally download them. Perhaps you found an app you couldn’t live without, but it wasn’t available in the PlayStore. Or maybe you unsuspectingly clicked a link in a seemingly safe email. Once it’s downloaded, FakeCall masquerades as your phone’s default call interface and can manipulate both incoming and outgoing calls.

Once installed, the malicious app asks users to set it as the default dialer app, giving it permission to take notes of outgoing and incoming calls. When you make a call to your bank, it’s redirected to cyber criminals who use vishing (voice phishing) techniques to impersonate bank personnel and gather your sensitive financial information. Attackers can then use your passwords, account numbers, etc., to gain access to your funds. Newer versions of the malware can even record your screen, take screenshots, unlock the device, and disable auto lock. These updates have the potential to allow hackers to hijack your device and access sensitive data. Without the right protections, these capabilities could lead to a catastrophic breach.

PROTECTING YOURSELF AND YOUR CLUB FROM SOPHISTICATED ATTACKS

FakeCall is notoriously hard to detect because it displays an interface that looks identical to your device’s call interface. The fake UI displays your bank’s real number and mimics your bank’s typical experience, allowing attackers to remain undetected throughout the exchange. Besides vishing, attackers may also use other phishing techniques designed for mobile devices, including sending deceptive SMS messages to lure users into clicking malicious links or exploiting QR codes to deliver the malware through mobile cameras. The most updated versions of the malware leverage Android’s Accessibility Service, allowing hackers to take remote control of a device and impersonate the user. This ability is especially concerning for its potential to lead to a breach.

Like other types of malware, FakeCall depends on the user to download an app or file. Protecting your device from sneaky attacks requires constant vigilance and best practices for digital hygiene. It’s crucial to only use trusted sites like Google Play Store for downloading apps and avoid clicking links when you’re unsure of their source. You can add another layer of protection by using antivirus tools and maintaining antivirus updates. Since the malware enables attackers to display your bank’s real phone number, stay on alert for unusual correspondence from your bank. Unusual calls or SMS messages can be a sign that hackers are trying to bait you into clicking a malicious link.

CYBERSECURITY HOT TIP

Practice the principle of least privilege to protect sensitive club data.

Using personal devices to take care of club tasks is a convenient and cost-effective way to ensure administrators can meet deadlines and conduct business remotely. However, having multiple devices with access to sensitive data opens vulnerability to breaches.

Practicing the principle of least privilege is a data safety method characterized by only allowing staff members to access sensitive data as it applies to their job roles. By minimizing the number of devices with access to sensitive data, you can better protect your club from a catastrophic breach. Updating your permissions policies is a step you can take right away to protect against malware targeted at mobile devices.

About the Author
Brad Preston is a client advisor at World Insurance Associates (World) specializing in the Sports industry. Prior to World, he spent more than 20 years at Advanced Event Systems and SportsEngine where he worked closely with the JVA and other member clubs in the volleyball space. He is well versed in club operations, staff, and member management, and most importantly, the use of technology and its inherent cyber risks. The JVA and World have partnered together to bring JVA Members educational articles and content to help you learn about your unique cyber risks and exposures, and how to better protect your businesses, members, and families in general. Feel free to reach out to Brad directly with any questions at bradpreston@worldinsurance.com