What if social engineers, instead of calling victims with voice phishing attacks, intercepted phone calls their victims make to legitimate phone numbers? Malicious apps let cybercriminals do just that – a new strain of vishing...
Here's how this works: An attacker must first convince a victim to download an app. The attacker may send a link to the victim, enticing the person with something like a low-interest loan, and prompt him to install the app for it. If the target takes the bait and later calls a financial company for loan consultation, the call is intercepted and connected to the attacker.
"The victims believe that they are talking to a financial company employee, but they aren't," Jang says. It's unlikely victims will know a scam is taking place, he says. Most of these attacks mimic apps from financial firms.
Kevin Mitnick, KnowBe4's Chief Hacking Officer noted: "Very interesting. I don't think this would work on iOS. I wonder if the Android has to be rooted to install an app that can forward calls? Also it sounds like the user is downloading apps from sources other than Google Play. Essentially the user is downgrading their security by allowing downloads from any source. A big no no."
In a presentation at Black Hat Asia, entitled "When Voice Phishing Met Malicious Android App," Jang will disclose and discuss the findings of criminal traces in voice phishing analysis conducted by his research team over the past few months. Full story at DarkReading