Letscall

LetsCall is a sophisticated malware, primarily targeting users in South Korea, but with the potential to expand its operations to European Union countries. The infection begins when a victim visits a phishing website that imitates a Google Play Store page. Clicking on a link from this site initiates the download of the first stage of the malware onto the user's phone. This advanced Voice Phishing (vishing) attack toolset was identified by researchers at ThreatFabric during their regular threat-hunting activities, who subsequently conducted an investigation into the malware's operations. The researchers discovered that the cybercriminal organization behind LetsCall is highly knowledgeable in Android security and contemporary voice routing technology. The malware uses Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) technologies, including Google STUN servers, to bypass network address translation (NAT) and firewalls. This ensures the highest possible quality for phone or video calls, facilitating a peer-to-peer voice/video connection between the call-centre operator and the victim. The same channel is also used for command-and-control (C2) communication, allowing for various commands to be executed. Despite the current focus on the South Korean market, there are no technical barriers preventing the threat actors from extending their reach to other countries. The well-designed infrastructure observed during the analysis could potentially be used by phone operators speaking different languages, leading to the prediction that such a toolkit could be promoted as Malware as a Service (MaaS) on the Darkweb. To avoid infection from LetsCall and similar vishing malware, phone users are advised to deny accessibility services access to any suspicious applications.