This nasty Android trojan is hijacking calls to your bank and sending them to hackers — how to stay safe

A picture of a skull and bones on a smartphone depicting malware
(Image credit: Shutterstock)

Imagine making a call to your bank after discovering fraudulent activity on one of your accounts, only for the person on the other end of the phone to be a hacker. Well, that is exactly what’s happening to victims of this updated Android banking trojan.

As reported by BleepingComputer, a new version of the FakeCall trojan is currently making the rounds online. First discovered by the cybersecurity firm Kaspersky back in 2022, this malware uses voice phishing (or vishing), overlay attacks and other tricks to convince victims they’re actually on a call with someone from their bank.

Late last year, CheckPoint released its own report warning that FakeCall had gained the ability to impersonate more than 20 different financial organizations. Since then though, its capabilities have grown even stronger and now, the malware is able to hijack both incoming and outgoing calls made from the best Android phones.

Here’s everything you need to know about this banking trojan, along with some tips and tricks to help you stay safe from hackers and the malware they use in their attacks.

Hijacking outgoing and incoming calls

A nervous woman looking at her phone

(Image credit: Shutterstock)

Just like most other banking trojans, FakeCall is spread through malicious apps which are usually sideloaded onto a victim’s phone. Previous versions of the trojan had users call their bank from within one of these bad apps and from there, hackers impersonated a bank employee while a fake overlay displayed their bank’s number during the call to prevent them from catching on.

Now though, this new version of FakeCall analyzed by cybersecurity researchers at Zimperium uses a new trick to appear even more convincing. Instead of an overlay on top of a legitimate app, the malicious app used to spread this malware sets itself as a phone’s default call handler. This is done by abusing Android’s accessibility services and after installation, victims are prompted to approve this.

With full control of an Android phone’s call handler, the hackers behind this campaign are able to hijack both incoming and outgoing calls. To make this appear more legitimate, a fake call interface that copies the real Android dialer is used which displays the names and info of a victim’s most frequent contacts.

If a victim goes to call their bank or other financial institution, FakeCall hijacks their call and redirects it to a hacker-controlled phone number. While the victim believes they're speaking with a bank employee who may ask for some sensitive information over the phone, they’re actually speaking with a hacker who is recording everything they say to use in subsequent attacks or even to commit fraud.

In addition to this new feature, this latest version of FakeCall has some other upgrades as well. These include the ability to live stream what’s on their screen, taking screenshots on an infected device, unlocking a phone to temporarily turn off auto-lock and more. Since so many new features have been added to this malware, it’s clear that it is currently under active development and that its creators are making it more powerful with each subsequent release.

In its report, Zimperium provides more details on this banking trojan and explains that it identified 13 malicious apps used to spread FakeCall. However, instead of their names, the firm has only released indicators of compromise (IoC) on GitHub. I'll try to get the full list of app names and will update this piece if I do so.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

Just like with a lot of other Android malware, the easiest way to avoid having your phone infected with the FakeCall banking trojan is to not sideload apps. While installing apps this way may be convenient, you’re putting yourself at additional risk since these apps don’t go through the same rigorous security checks that ones on official app stores like the Google Play Store, Samsung Galaxy Store and the Amazon App Store do.

When in doubt, don’t install any apps as APK files on your phone. Instead, go to an official app store and search for the app you want to use by name. Google and other search engines are often used by hackers to host malicious ads, so it’s always better to navigate directly to an app store and search for new apps yourself. Likewise, you also want to limit the number of apps on your phone as even good apps can go bad.

In order to stay protected from malware and other online threats, you want to ensure that Google Play Protect is enabled on your device. This built-in security app scans all of the new apps you download and the existing ones on your smartphone for malware. For additional protection though, you might also want to consider using one of the best Android antivirus apps alongside Google Play Protect.

As long as there are apps, hackers are going to find a way to abuse them in their attacks. However, if you avoid sideloading new apps and don’t give the apps you do install access to permissions they don’t need, you should be safe from hackers. At the same time, it’s always a good idea to periodically restart your device to prevent hackers from using zero-click exploits to infect your phone with malware.

Since FakeCall is currently in active development, this likely isn’t the last time that we’ll hear about this banking trojan being used in cyberattacks.

More from Tom's Guide

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.