'Letscall' Malware Takes Vishing to a New Level

Researchers have recently alerted the public to a new and advanced type of voice phishing (vishing) scam called "Letscall." This particular method of deception is currently being employed to target individuals in South Korea.

The criminals orchestrating the "Letscall" scheme follow a series of steps to trick their victims into downloading harmful applications from a counterfeit Google Play Store website.

Once the malicious software is installed, it reroutes incoming calls to a call center controlled by the criminals. Trained individuals posing as bank employees then manipulate unsuspecting victims into divulging sensitive information.

To facilitate the smooth flow of voice traffic, "Letscall" leverages cutting-edge technologies such as voice over IP (VOIP) and WebRTC. It also utilizes advanced protocols like Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN), including Google STUN servers, to ensure high-quality phone or video calls while bypassing NAT and firewall restrictions.

The "Letscall" group comprises Android developers, designers, frontend and backend developers, and call operators specializing in voice-based social engineering attacks.

Letscall Mode of Operation

The malware operates in three distinct stages. Initially, a downloader app prepares the victim's device, paving the way for the installation of powerful spyware. This spyware then triggers the final stage, enabling the rerouting of incoming calls to the attackers' call center.

According to a report by Dutch mobile security firm ThreatFabric, the third stage is equipped with its own set of commands, including Web socket commands. Some of these commands focus on manipulating the address book by creating or removing contacts, while others involve creating, modifying, or removing filters that determine which calls should be intercepted or ignored.

What sets "Letscall" apart is its utilization of advanced evasion techniques. The malware incorporates Tencent Legu and Bangcle (SecShell) obfuscation during the initial download. In later stages, it employs complex naming structures in ZIP file directories and intentionally corrupts the manifest to confuse and bypass security systems.

The criminals have developed automated systems that make calls to victims and play pre-recorded messages to further deceive them. By combining mobile phone infections with vishing techniques, these fraudsters can request micro-loans under the victims' names while convincing them of suspicious activities and redirecting calls to their own centers.

The damage from this type of attack can be severe, burdening victims with substantial loans to repay. Financial institutions often underestimate the gravity of these invasions and fail to thoroughly investigate potential fraud cases.

While this threat is currently limited to South Korea, researchers caution that there are no technical barriers preventing these attackers from expanding their operations to other regions, including the European Union.