Android Malware Targets Financial Firms in South Korea

May 12, 2023

Threat actors are increasingly employing Android malware to attack financial firms. This includes banking trojans that can collect valuable data and encrypt files in order to monetize the attack.

FakeCalls is an advanced voice phishing (vishing) malware campaign targeting South Korean users with the pretense of popular financial apps. It collects private data from victims’ devices while evading detection through several unique and effective evasion tactics.

Mobile Banking Security

Security professionals are warning of an increase in malware targeting financial firms in South Korea. Recently, hackers have targeted gaming cyber money but now they’re turning their attention towards real banks to steal data and cash from customers.

According to a survey, 25% of financial firms had been compromised within the past two years. In some cases, hackers were able to siphon off millions of dollars from their victims.

One major concern is that these attacks often use multiple methods to access private information. This may involve spreading malicious software and malware through Trojans, or by employing phishing techniques to coerce users into providing their passwords.

Financial firms have long been warned about these threats, yet they largely disregard them. This makes it difficult to protect private financial information against cyber attacks.

Another issue with South Korean internet banking is the complex system of certificates issued to individuals and used for signing transactions between financial institutions. Unfortunately, these certificates aren’t stored on a user’s computer or email but rather on the website of the bank where the transaction takes place.

Due to this, it’s easy to misplace certificates during the signing process. This could result in a security breach if there is ever an attack, hacking incident, or accident.

Further complicating matters, Korean internet banking also relies on a range of security applications distributed via the web – collectively referred to as an application zoo. Each one comes with its own website SDK that must be installed before these features can be utilized.

These SDKs contain a large number of JavaScript files that must be loaded into the user’s browser and initialized before the website can be used to complete a transaction. This causes the site to run slowly, making navigation difficult even for experienced web surfers.

Fortunately, there are measures that can be taken to enhance security when it comes to internet banking in Korea. These include increasing compatibility and accessibility as well as strengthening protection of private financial information.

FakeCalls Malware

Financial firms in South Korea are the target of FakeCalls, according to Check Point Research. This malware mimics phone calls from 20 leading banks within the country and attempts to steal credit card information by tricking victims into confirming their cards.

CPR’s Alexander Chailytko warns that this Android vishing malware attempts to lure victims with false loan offers that request credit card details in order to steal them. Furthermore, it attempts to circumvent security software by adding numerous files inside nested directories within its asset folder and reading data from dead drop resolvers on Google Drive or an arbitrary Web server.

Furthermore, this Trojan can control incoming and outgoing calls by spoofing them. Furthermore, it enables cybercriminals to access personal information like contact lists, phone histories, files, and photos.

Malware can be downloaded from a malicious website and installed on a victim’s device via Chrome browser. Once activated, it asks for permission to read data such as contacts and phone history from the device, along with accessing its camera, microphone, and geolocation capabilities.

Once installed, the Trojan begins collecting sensitive information such as private messages, phone numbers, passwords and logins. It even records live audio and video streams from your device’s camera which it sends to its Command-and-Control (C&C) servers for analysis.

It then uses these resources to make false loans and conduct phone conversations with bank employees. Once the victim trusts the operators, they’re duped into providing their credit card details.

To make the conversation appear authentic, operators often replace their displayed phone number with a real bank’s number so the victim believes they are speaking to an actual employee of the bank. Once trust has been established, they begin asking for credit card details which they then use to siphon off funds from them.

FakeCalls malware not only steals credit card information, but it is capable of other tasks as well. It has the capacity to download and install other applications, spoof incoming and outgoing calls, access contacts on a device, and record audio.

Kimsuky APT

Kimsuky, also known as Black Banshee, Thallium or Velvet Chollima is a North Korean cyberespionage group that continues to target financial firms in South Korea. This APT uses phishing attempts to gather credentials from victims and watering hole attacks to extract data stored on cloud storage, according to Malwarebytes threat intelligence firm.

Recently, malicious actors used a false KISA security app to harvest sensitive information from Android devices. The malicious APK was delivered as an APK attachment in spearphishing emails and installed and executed without the target’s knowledge, leading to theft of email accounts and data stored on the phone.

Kaspersky Lab reports a second campaign from the same attackers, in which an APT actor used a malicious browser extension to steal email content. This campaign was seen targeting targets in South Korea and Europe, with Volexity incident response firm spotting the malware.

Researchers from Kaspersky Labs have uncovered a modular spyware suite called “KGH_SPY” and an innovative malware strain named “CSPY Downloader.” The spyware module gives Kimsuky threat actors the capacity to spy on computers undetected. Additionally, it is capable of exfiltrating key logs which are encrypted before being sent directly to their command and control server (C2).

This APT is known for using multiple malware modules to perform various espionage activities, including file exfiltration and credential harvesting. The malware module used for file exfiltration is a VB script, which zips up files from victims’ computers before sending them directly to a C2 specified by the attackers who then extract and decrypt them, giving hackers access to any data stored on those devices.

This campaign employed a variant of the Gold Dragon/Brave Prince family of implants that are designed to conduct reconnaissance and espionage on victim systems. It also includes a keylogger DLL that captures passwords for storage on victims’ computers, along with an instrumentor VB script responsible for zipping up this key log and sending it off to an assigned C2 by the attackers.


Ransomware is a type of malware that encrypts files on computers so users cannot access them unless they pay an amount in cryptocurrency to the attacker. This form of cybercrime has a long-standing history and has been employed by various types of criminals.

Ransomware typically works by sending a message to the user that their data has been encrypted and will only be decrypted if they pay an amount in cryptocurrency. After payment is made, a decryptor key is then provided to them; however, in some cases this decryptor may not work or corrupt your files beyond repair.

Some ransomware packages include a cryptominer tool, which compels the victim’s computer to mine cryptocurrency. This is done so that the attacker can gain a share of the profits from mining activities and pay themselves in currency.

These types of attacks pose a threat not only to businesses that depend on their systems for operations, but also individuals who wish to keep their personal information secure from potential hackers. Usually, these are carried out through malicious emails and texts or through phishing scams.

Recent ransomware outbreaks have primarily targeted small and midsized businesses, which may not have the resources to hire large teams of IT specialists who understand the risks of a cyberattack. Unfortunately, this leaves these organizations particularly vulnerable to ransomware attacks.

One of the best defenses against such attacks is to regularly back up all important files. This way, if an attack does take place, businesses will still have a copy of their data.

Even if all data is back up, it’s still not guaranteed that a ransomware attack won’t cause severe disruptions in the business. Depending on how severe the damage, some businesses may need to close their doors temporarily until they can restore their systems and recover all of their data.

Financial services sectors are frequently targeted by ransomware attacks. Typically, these attacks are carried out by APT groups with an affinity for this sector – some North Korean, while others originate in South Korea. These APT groups seek victims who will pay a relatively low ransom price in order to solve their problems quickly.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us