Threat actors are using an Android malware payload to pull off an elaborate social-engineering scam.Researchers with mobile security specialist Zimperium say that a piece of malware known as FakeCall is causing Android device owners to be tricked into handing over sensitive data.According to the team at Zimperium, the FakeCall malware allows the threat actors to spoof the origin number of an incoming phone call and redirect an outgoing call.This, in turn, allows the attackers to appear as a legitimate organization such as a bank or financial institution and perform voice phishing or “vishing” attacks.“FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming and outgoing calls,” explained Zimperium researcher Fernando Ortega“Victims are tricked into calling fraudulent phone numbers controlled by the attacker and mimicking the normal user experience on the device.”As with most malware infections, the FakeCall payload arrives as a link from a phishing email. Should the victim click on the link, they will be directed to download an APK executable that acts as a dropper for additional payloads.One of those payloads links the now-infected Android device to a command-and-control server. The C2 server then receives instructions to upload details of the device, as well as contacts and SMS messages.From there, the FakeCall malware is able to perform a number of tasks, including monitoring the device, sending and receiving messages and, more importantly, setting itself as the default method for making outbound calls and receiving inbound.This, in turn, allows the attacker to effectively hijack any call being made or received by the hijacked device. It does not take much imagination to figure out how the attacker can impersonate a bank, retailer, or even government organization in order to scam users out of personal details and account numbers.Interestingly, the researchers noted that the latest versions of the FakeCall malware include several functions such as BlueTooth and screen status monitoring, that are not yet being used by the malware operators.“The malware incorporates a new service inherited from the Android Accessibility Service, granting it significant control over the user interface and the ability to capture information displayed on the screen,” explained Ortega.“The decompiled code shows methods such as onAccessibilityEvent() and onCreate() implemented in native code, obscuring their specific malicious intent.”Android users are advised to carefully screen their emails and avoid clicking on any links that come with unsolicited messages.