When Voice Phishing Met Malicious Android App presented at BlackHatAsia2019 2019

by Min-chang Jang,

Summary : The traditional voice phishing we know is that an attacker makes a call to the victim and then commits fraud by way of social engineering techniques. However, these days, there are very few users who are deceived by such an obvious attack. But what happens if attackers intercept the call when we make a call to the primary number of a government agency or financial company? We will trust the other party because we made a call ourselves.We discovered malicious apps with the feature to intercept outgoing calls last year, but we didn't have a live malicious app distribution server because the server was already closed when we received victim reports. After a few months, we received a report immediately from a victim, and we finally had a live malware distribution server. We were able to check which port on the server was open, and we were able to get the webpage source code as well. We made a real-time malicious app automation collection script based on the strings of webpage source code discovered from the first distribution server. We have been able to find malicious app distribution servers and variant malicious apps.After we found the first a live distribution servers, we collected about 3,000 apps from distribution servers. The C&C server address was hard-coded inside of malicious apps, and it could be easily extracted. The C&C server is web-based.We analyzed the C&C server and stumbled across a file containing the account information needed to access the server. It was able to acquire the privileges of the Windows server administrator of the distribution server and the DB administrator of the C&C server through the account information. We got a lot of information through the RDP connection to the server. In particular, we confirmed that the attacker is using PPPoE to connect to the Internet, which led us to find that the geographical location of the server is located in China (Taiwan).One of the most fascinating discoveries occurred after we installed a malicious app on a test phone, and we made a call to a real attacker. The man received the call, and he was fluent in Korean. He asked me to make a call tomorrow morning again because his work hours are over. (In Korea banking business time is from 9 AM to 4 PM. When I called him, it was after 4 PM.)In this talk, we will disclose the findings of the actual voice phishing criminal traces over the last few months as I said above.