Security researchers from Symantec have discovered a new variant of the Android.Fakebank.B banking trojan that prevents users from calling banks.

Security experts from Symantec have spotted a new strain of mobile Trojan dubbed Android.Fakebank.B that prevents users from making outgoing calls to banks from their mobile devices.

Android.Fakebank.B was first spotted in October 2013, it was able to intercept incoming calls to intercept SMS used by the banks for two-factor authentication.

Earlier 2014, experts from Symantec discovered a variant of the Trojan.Droidpak that was used to install the Android.Fakebank.B banking trojan on mobile devices.

The variant of Android.Fakebank.B used in those attacks was already implementing common features of mobile banking threats, including SMS interception and “MITM capabilities”.

In March 2016, the Android.Fakebank.B was observed targeting mainly customers of Russian and South Korean banks.

The analysis of the latest variant of the Fakebank.B Android Trojan revealed that the threat would register a BroadcastReceiver component that is used to monitor outgoing calls in order to block certain calls to customer service call centers of the target banks.

The Android.Fakebank.B also cancels every evidence of the call he has intercepted.

“Once installed, the new Android.Fakebank.B variants register a BroadcastReceiver component that gets triggered every time the user tries to make an outgoing call. If the dialed number belongs to any of the customer service call centers of the target banks, the malware programmatically cancels the call from being placed.” states the analysis published by Symantec.

The number blocked by the Banking Trojan:

  • KB Bank: 15999999;
  • KEB Hana Bank: 15991111;
  • NH Bank: 15442100 and 15882100;
  • Sberbank: 80055550;
  • SC Bank: 15881599 and 15889999;
  • Shinhan Bank: 15448000, 15778000, and 15998000.

The bank customers use the above numbers to cancel stolen payment cards and deny unauthorized transactions in a timely manner, but crooks block them to have more time for their illicit activities.

The Android.Fakebank.B established a backdoor and steals information from the victim’s smartphone.

Symantec issued the following recommendations to mitigate the threat:

  • Keep your software up to date
  • Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
  • Pay close attention to the permissions requested by apps
  • Install a suitable mobile security app, such as Norton, to protect your device and data
  • Make frequent backups of important data

In any cases, victims can contact the bank to report the fraudulent activities using alternative channels, including a landline, a different mobile device, or an email.

In early 2016, researchers from Symantec spotted another mobile banking Trojan in the wild, the Bankosy trojan that steals passwords sent through voice calls generated by 2FA systems.

Pierluigi Paganini