Vishing, a type of voice phishing, has gained popularity and is eroding trust in calls from unknown numbers due to the increase in Voice over IP Phishing. Recently, a warning was issued about a sophisticated phone scam called “Letscall,” where scammers deceive people through voice communication. Threat Fabric’s cybersecurity researcher discovered and warned about this emerging form of voice phishing.
The operators of Letscall employ a multi-step attack to trick victims into downloading malicious apps from a fake Google Play Store site. This attack consists of three stages. In the first stage, the victim’s device is set up, necessary permissions are obtained, and the phishing page is launched. Then, in the second stage, the victim downloads and installs the second-stage malware from the control server. The attacker infects the targeted device in this stage, extracting data and enrolling it in a P2P VOIP network for communication with the victim via video or voice calls. The third stage malware extends the functionality of the second stage by redirecting calls from the victim’s device to the attacker’s call center.
The method used by the attacker to lure victims to the decoy page is still unclear, but it could involve SEO blackhat techniques or social manipulation. Cybersecurity analysts have also discovered Google Play-like pages optimized for mobile screens, primarily in Korean.
The downloaders used in these attacks are relatively simple apps that sometimes employ custom methods. The malware incorporates obfuscation techniques like Letscall Tencent Legu and Bangcle (SecShell) during the initial download. It utilizes complex naming and corrupts the manifest in later stages to evade security systems.
These attacks can have severe consequences, often leaving victims burdened with substantial loan repayments. Unfortunately, financial institutions tend to underestimate the impact of such intrusions.
Original source: Teknologiia Team
