New ‘Letscall’ Malware Uses Voice Traffic Routing
Researchers have issued a warning about an emerging and further form of voice phishing known as “vishing”.Come on call.” This technique currently targets individuals in South Korea.
The criminals behind “Letscall” use a multi-step attack to trick victims into downloading a rogue app from a fake Google Play Store website.
Once the malicious software is installed, incoming calls are redirected to a call center under the control of criminals. Trained operators posing as bank employees then extract sensitive information from unsuspecting victims.
To facilitate the routing of voice traffic, “Letscall” uses cutting-edge technologies such as voice over IP (VOIP) and WebRTC. It also leverages Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) protocols, including Google’s STUN server, to ensure high-quality phone or video calls and bypass NAT and firewall restrictions.
The “Letscall” group consists of Android developers, designers, frontend and backend developers, and call operators specializing in voice social engineering attacks.
The malware operates in three stages: first, the downloader app prepares the victim’s device, paving the way for the installation of powerful spyware. This spyware then triggers the final stage, which allows the redirection of incoming calls to the attacker’s call center.
“The third stage has its own set of commands, which also includes Web socket commands. Some of these commands are related to address book manipulation, such as creating and deleting contacts. Other commands are related to creating, modifying, and deleting filters that define which calls should be intercepted and which ones to ignore,” said Dutch mobile security company ThreatFabric report.
What sets “Letscall” apart is its utilization of advanced evasion techniques. This malware incorporates Tencent Legu and Bangcle (SecShell) disguises during the initial download. At a later stage, it uses a complicated naming structure in ZIP file directories and intentionally tampers with manifests to confuse and bypass security systems.
Criminals have developed systems that automatically call victims and play pre-recorded messages to trick them further. By combining cell phone infections with vishing techniques, these scammers can request microloans on behalf of victims while convincing them of suspicious activity and diverting calls to their centers.
🔐 Privileged Access Management: Learn How to Beat Key Challenges
Discover different approaches to conquering Privileged Account Management (PAM) challenges and enhance your privileged access security strategy.
The consequences of such an attack can be significant, leaving victims with huge loans to repay. Financial institutions often underestimate the severity of these invasions and fail to investigate potential fraud.
Although this threat is currently limited to South Korea, the researchers warn that there are no technical hurdles preventing this attacker from expanding into other regions, including the European Union.
This new form of vishing attacks underscores the constant evolution of criminal tactics and their ability to exploit technology for malicious purposes. The group responsible for the “Letscall” malware demonstrates a sophisticated knowledge of Android security and voice routing technology.
