{"id":167384,"date":"2023-04-20T18:27:34","date_gmt":"2023-04-21T01:27:34","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=167384"},"modified":"2024-06-11T09:43:08","modified_gmt":"2024-06-11T16:43:08","slug":"fakecalls-android-malware-abusing-legitimate-signing-key","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/","title":{"rendered":"Fakecalls Android Malware Abuses Legitimate Signing Key"},"content":{"rendered":"

Authored by Dexter Shin<\/span><\/span>\u00a0<\/span><\/p>\n

McAfee Mobile Research Team <\/span>found<\/span> an Android<\/span> banking trojan <\/span>signed with a <\/span>key<\/span> used by legitimate <\/span>apps in South Korea<\/span> last year<\/span>.<\/span> By <\/span>design<\/span>,<\/span> Android requires that all applications<\/span> must<\/span> be signed with a <\/span>key<\/span>, <\/span>in other words<\/span>\u00a0a keystore,<\/span> so they can <\/span>be installed or update<\/span>d<\/span>. <\/span>Because this<\/span> key <\/span>can only be used by the developer <\/span>who <\/span>created it<\/span>, an application signed with the same <\/span>key<\/span> is<\/span> assumed <\/span>to <\/span>belong to the same developer. <\/span>That is the case of this Android <\/span>b<\/span>anking trojan <\/span>that uses this legitimate <\/span>signing key<\/span> to <\/span>bypass signature-based detection techniques<\/span>.<\/span> And these banking trojans weren’t distributed on Google Play or official app stores until now.<\/span> This threat <\/span>had been<\/span> disclosed<\/span> to <\/span>the <\/span>company<\/span> that owns<\/span> the legitimate <\/span>key <\/span>last year <\/span>and <\/span>t<\/span>he company has taken <\/span>precautions<\/span>. T<\/span>he company has<\/span> confirmed <\/span>that <\/span>they have replace<\/span>d<\/span> the <\/span>signing key<\/span> and <\/span>currently, <\/span>all the<\/span>ir<\/span> legitimate apps<\/span> are signed with a new <\/span>signing key<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

Android malware using a legitimate <\/span>signing <\/span>key<\/span><\/span>\u00a0<\/span><\/h2>\n

While <\/span>tracking<\/span> the Android <\/span>banking trojan<\/span> Fakecalls<\/span> we found a <\/span>sample<\/span> using the same <\/span>signing key<\/span> as <\/span>a<\/span> well<\/span>–<\/span>known <\/span>app<\/span> in Korea<\/span>.<\/span> This app <\/span>is developed by <\/span>a <\/span>reputable<\/span> IT<\/span> services<\/span> company<\/span> with <\/span>extensive<\/span> business<\/span>es<\/span> across various sectors,<\/span> including but not limited to IT,<\/span> gam<\/span>ing<\/span>, <\/span>payment,<\/span> and advertis<\/span>ing<\/span>.<\/span> We confirmed that most of the <\/span>malicious samples<\/span> using this <\/span>key<\/span> pretend to be a <\/span>bank<\/span>ing<\/span> app<\/span> as they use the <\/span>same icon as the real banking apps<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span><\/span>1<\/span><\/span><\/span>. <\/span>M<\/span>alware<\/span> and <\/span>legitimate app on Google Play<\/span><\/span>\u00a0<\/span><\/p>\n

Distribution method and latest s<\/span>t<\/span>atus<\/span><\/span>\u00a0<\/span><\/h2>\n

Domains verified <\/span>last <\/span>August when we first discovered the samples are now down.<\/span> However<\/span>,<\/span> we investigated URLs related <\/span>to <\/span>this <\/span>malware<\/span> and <\/span>we <\/span>found<\/span> similar <\/span>ones<\/span> related to this threat<\/span>.<\/span> Among them, we <\/span>identified<\/span> a <\/span>phishing site that <\/span>is<\/span> still alive during our research.<\/span> The site is also disguised as a banking site<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span>2<\/span>. <\/span>A phishing page disguised as <\/span>a <\/span>Korean <\/span>banking <\/span>site<\/span><\/span>\u00a0<\/span><\/p>\n

We also found that<\/span> they updated <\/span>the <\/span>domain information<\/span> of this web page <\/span>a few days before our investigation<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

So<\/span> we <\/span>took a deeper look into this <\/span>domain<\/span> and we found <\/span>additional<\/span> unusual IP<\/span> addresses that led us to the <\/span>C<\/span>ommand and <\/span>c<\/span>ontrol<\/span>(<\/span>C<\/span>2)<\/span> server<\/span> admin pages<\/span> used by the cybercriminals <\/span>to control <\/span>the <\/span>infected devices<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

 <\/p>\n

\"\"<\/p>\n

Figure <\/span><\/span>3<\/span><\/span><\/span>. <\/span>Fakecalls<\/span> C<\/span>ommand and <\/span>control(C2) <\/span>admin <\/span>page<\/span>s<\/span><\/span>\u00a0<\/span><\/p>\n

How does it <\/span>work<\/span><\/span>\u00a0<\/span><\/h2>\n

When <\/span>we check the<\/span> APK file structure, <\/span>we can see that<\/span> this malware uses <\/span>a <\/span>packer to avoid analysis and detection.<\/span> The malicious code is encrypted in one of the files below<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span>4<\/span>. <\/span>Tencent\u2019s <\/span>Legu<\/span> Packer<\/span> libraries<\/span><\/span>\u00a0<\/span><\/p>\n

After decrypting the DEX file, we found some unusual functionality. The code below gets the Android package information from a file with a HTML extension.<\/span>\u00a0<\/span><\/p>\n

\u00a0<\/span>\"\"Figure <\/span>5<\/span>. <\/span>Questionable code in the decrypted DEX file<\/span><\/span>\u00a0<\/span><\/p>\n

This file is in fact another APK (Android Application) rather than a traditional HTML file designed to be displayed in a web browser.<\/span>\u00a0<\/span><\/p>\n

\"\"Figure <\/span>6<\/span>. <\/span>APK file disguised as an HTML <\/span>file<\/span><\/span>\u00a0<\/span><\/p>\n

When <\/span>the user<\/span> launches<\/span> the malware<\/span>,<\/span> it <\/span>immediately<\/span> asks for<\/span> permission to install <\/span>another<\/span> app.<\/span> Then <\/span>it<\/span> tr<\/span>ies to install<\/span> an application <\/span>stored in <\/span>the <\/span>\u201c<\/span>assets<\/span>\u201d<\/span> directory<\/span> as <\/span>\u201c<\/span>introduction.html<\/span>\u201d.<\/span> The<\/span> \u201c<\/span>introduction.html<\/span>\u201d is<\/span>\u00a0<\/span>an<\/span> APK file<\/span> and <\/span>real <\/span>malicious<\/span> behavior<\/span> happen<\/span>s here<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span>7<\/span>. <\/span>Dropper\u00a0<\/span>asks\u00a0you to install<\/span> the main <\/span>payload<\/span><\/span>\u00a0<\/span><\/p>\n

When the dropped payload is about to be installed, it asks for several permissions <\/span>to access sensitive personal information<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span>8<\/span>. <\/span>Permissions required by the main malicious <\/span>application<\/span><\/span>\u00a0<\/span><\/p>\n

It also<\/span> registers <\/span>several<\/span> services and receivers to control notifications from the device and to receive commands from <\/span>a remote Command and Control server<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

\u00a0<\/span>Figure 9. Services and receivers registered by the main payload<\/p>\n

By contrast,<\/span> the malware<\/span> uses<\/span> a legitimate <\/span>p<\/span>ush<\/span> SDK<\/span> to<\/span> receive <\/span>command<\/span>s<\/span> from <\/span>a remote server<\/span>.<\/span> Here are <\/span>the<\/span> complete list of commands and <\/span>their<\/span> purpose<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

 <\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Command name<\/strong>\u00a0<\/span><\/td>\nPurpose\u00a0<\/strong><\/td>\n<\/tr>\n
note<\/span>\u00a0<\/span><\/td>\nsms message upload<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
incoming_transfer<\/span>\u00a0<\/span><\/td>\ncaller number upload<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
del_phone_record<\/span>\u00a0<\/span><\/td>\ndelete call log<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
zhuanyi<\/span>\u00a0<\/span><\/td>\nset call forwarding with parameter<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
clear_note<\/span>\u00a0<\/span><\/td>\ndelete sms message<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
assign_zhuanyi<\/span>\u00a0<\/span><\/td>\nset call forwarding<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
file<\/span>\u00a0<\/span><\/td>\nfile upload<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
lanjie<\/span>\u00a0<\/span><\/td>\nblock sms message from specified numbers<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
allfiles<\/span>\u00a0<\/span><\/td>\nfind all possible files and upload them<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
email_send<\/span>\u00a0<\/span><\/td>\nsend email<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
record_telephone<\/span>\u00a0<\/span><\/td>\ncall recording on<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
inout<\/span>\u00a0<\/span><\/td>\nre-mapping on C2 server<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
blacklist<\/span>\u00a0<\/span><\/td>\nregister as blacklist<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
listener_num<\/span>\u00a0<\/span><\/td>\nno function<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
no_listener_num<\/span>\u00a0<\/span><\/td>\ndisable monitoring a specific number<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
rebuild<\/span>\u00a0<\/span><\/td>\nreset and reconnect with C2<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
deleteFile<\/span>\u00a0<\/span><\/td>\ndelete file<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
num_address_list<\/span>\u00a0<\/span><\/td>\ncontacts upload<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
addContact<\/span>\u00a0<\/span><\/td>\nadd contacts<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
all_address_list<\/span>\u00a0<\/span><\/td>\ncall record upload<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
deleteContact<\/span>\u00a0<\/span><\/td>\ndelete contacts<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
note_intercept<\/span>\u00a0<\/span><\/td>\nintercept sms message from specified numbers<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
intercept_all_phone<\/span>\u00a0<\/span><\/td>\nintercept sms message from all<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
clear_date<\/span>\u00a0<\/span><\/td>\ndelete all file<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
clear_phone_contact<\/span>\u00a0<\/span><\/td>\ndelete all contacts<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
clear_phone_record<\/span>\u00a0<\/span><\/td>\ndelete all call log<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
per_note<\/span>\u00a0<\/span><\/td>\nquick sms message upload<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
soft_name<\/span>\u00a0<\/span><\/td>\napp name upload<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/span><\/p>\n

Cybercriminals are constantly evolving and using new ways to bypass security checks, such as abusing legitimate signing keys. Fortunately, there was no damage to users due to this signing key leak. However, we recommend that users install security software on their devices<\/a> to respond to these threats. Also, users are recommended to download and use apps from the official app stores.<\/span>\u00a0<\/span><\/p>\n

McAfee Mobile Security<\/a> detects this threat as Android\/Banker regardless of the application, is signed with the previously legitimate signing key.\u00a0<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Indicators of Compromise<\/span><\/b>\u00a0<\/span><\/p>\n

\u00a0<\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
SHA256<\/span>\u00a0<\/span><\/td>\nName<\/span>\u00a0<\/span><\/td>\nType<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8<\/span>\u00a0<\/span><\/td>\n\uc2e0\ud55c\uc2e0\uccad\uc11c<\/span>\u00a0<\/span><\/td>\nDropper<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda<\/span>\u00a0<\/span><\/td>\n\uc2e0\ud55c\uc2e0\uccad\uc11c<\/span>\u00a0<\/span><\/td>\nDropper<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc<\/span>\u00a0<\/span><\/td>\n\uc2e0\ud55c\uc2e0\uccad\uc11c<\/span>\u00a0<\/span><\/td>\nDropper<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579<\/span>\u00a0<\/span><\/td>\n\uc2e0\ud55c\uc2e0\uccad\uc11c<\/span>\u00a0<\/span><\/td>\nDropper<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2<\/span>\u00a0<\/span><\/td>\n\ubcf4\uc548\uc778\uc99d\uc11c<\/span>\u00a0<\/span><\/td>\nBanker<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6<\/span>\u00a0<\/span><\/td>\n\ubcf4\uc548\uc778\uc99d\uc11c<\/span>\u00a0<\/span><\/td>\nBanker<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6<\/span>\u00a0<\/span><\/td>\n\ubcf4\uc548\uc778\uc99d\uc11c<\/span>\u00a0<\/span><\/td>\nBanker<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b<\/span>\u00a0<\/span><\/td>\n\ubcf4\uc548\uc778\uc99d\uc11c<\/span>\u00a0<\/span><\/td>\nBanker<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12<\/span>\u00a0<\/span><\/td>\n\ubcf4\uc548\uc778\uc99d\uc11c<\/span>\u00a0<\/span><\/td>\nBanker<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3<\/span>\u00a0<\/span><\/td>\n\ubcf4\uc548\uc778\uc99d\uc11c<\/span>\u00a0<\/span><\/td>\nBanker<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f<\/span>\u00a0<\/span><\/td>\n\ubcf4\uc548\uc778\uc99d\uc11c<\/span>\u00a0<\/span><\/td>\nBanker<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92<\/span>\u00a0<\/span><\/td>\n\ubcf4\uc548\uc778\uc99d\uc11c<\/span>\u00a0<\/span><\/td>\nBanker<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24<\/span>\u00a0<\/span><\/td>\n\ubcf4\uc548\uc778\uc99d\uc11c<\/span>\u00a0<\/span><\/td>\nBanker<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/span><\/p>\n

Domains:<\/span>\u00a0<\/span><\/p>\n

    \n
  • http[:\/\/]o20-app.dark-app.net<\/span>\u00a0<\/span><\/li>\n
  • http[:\/\/]o20.orange-app.today<\/span>\u00a0<\/span><\/li>\n
  • http[:\/\/]orange20.orange-app.today<\/span>\u00a0<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

    Authored by Dexter Shin\u00a0 McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate…<\/p>\n","protected":false},"author":695,"featured_media":167546,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1838,442],"tags":[180],"coauthors":[4136],"class_list":["post-167384","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobile-security","category-mcafee-labs","tag-malware"],"acf":[],"yoast_head":"\nFakecalls Android Malware Abuses Legitimate Signing Key | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Dexter Shin\u00a0 McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Fakecalls Android Malware Abuses Legitimate Signing Key | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Dexter Shin\u00a0 McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-04-21T01:27:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-11T16:43:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/04\/300x200_Blog_Fakecalls.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Fakecalls Android Malware Abuses Legitimate Signing Key\",\"datePublished\":\"2023-04-21T01:27:34+00:00\",\"dateModified\":\"2024-06-11T16:43:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/\"},\"wordCount\":1131,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/04\/300x200_Blog_Fakecalls.png\",\"keywords\":[\"malware\"],\"articleSection\":[\"Mobile Security\",\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/\",\"name\":\"Fakecalls Android Malware Abuses Legitimate Signing Key | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/04\/300x200_Blog_Fakecalls.png\",\"datePublished\":\"2023-04-21T01:27:34+00:00\",\"dateModified\":\"2024-06-11T16:43:08+00:00\",\"description\":\"Authored by Dexter Shin\u00a0 McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/04\/300x200_Blog_Fakecalls.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/04\/300x200_Blog_Fakecalls.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Fakecalls Android Malware Abuses Legitimate Signing Key\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fakecalls Android Malware Abuses Legitimate Signing Key | McAfee Blog","description":"Authored by Dexter Shin\u00a0 McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Fakecalls Android Malware Abuses Legitimate Signing Key | McAfee Blog","og_description":"Authored by Dexter Shin\u00a0 McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2023-04-21T01:27:34+00:00","article_modified_time":"2024-06-11T16:43:08+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/04\/300x200_Blog_Fakecalls.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Fakecalls Android Malware Abuses Legitimate Signing Key","datePublished":"2023-04-21T01:27:34+00:00","dateModified":"2024-06-11T16:43:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/"},"wordCount":1131,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/04\/300x200_Blog_Fakecalls.png","keywords":["malware"],"articleSection":["Mobile Security","McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/","name":"Fakecalls Android Malware Abuses Legitimate Signing Key | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/04\/300x200_Blog_Fakecalls.png","datePublished":"2023-04-21T01:27:34+00:00","dateModified":"2024-06-11T16:43:08+00:00","description":"Authored by Dexter Shin\u00a0 McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/04\/300x200_Blog_Fakecalls.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/04\/300x200_Blog_Fakecalls.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fakecalls-android-malware-abusing-legitimate-signing-key\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Fakecalls Android Malware Abuses Legitimate Signing Key"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/167384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=167384"}],"version-history":[{"count":9,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/167384\/revisions"}],"predecessor-version":[{"id":193681,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/167384\/revisions\/193681"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/167546"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=167384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=167384"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=167384"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=167384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}