S1080: Fakecalls
Analyst context for executives and security teams
Fakecalls is an Android banking trojan that matters because it targets trust in mobile banking interactions, not just device data. MITRE describes it as masquerading as South Korean banking apps, intercepting calls to banking institutions, and using pre-recorded audio to maintain realistic dialogue with victims. For leaders, the key risk is that mobile malware can undermine fraud controls, customer or employee trust, and incident triage when phone-based verification is assumed to be reliable.
Executive priority
Prioritize Fakecalls as a mobile fraud and identity-risk scenario where Android devices interact with banking or sensitive business workflows. The business question is whether mobile device policy, app vetting, user reporting, and incident response playbooks can identify a malicious app that looks legitimate and abuses call, audio, location, contact, SMS, file, and exfiltration capabilities. This is especially relevant for compliance evidence around mobile access governance and for validating whether SOC coverage includes mobile telemetry rather than only endpoint and network logs.
Technical view
ATT&CK provides no official detection text and no tactics for this object, so defenders should validate coverage through the related techniques. On Android, focus on suspicious applications that request or use permissions consistent with call control, microphone/audio capture, camera/video capture, location access, contacts, call logs, SMS access, local file access, file deletion, and outbound command-and-control exfiltration. Because Fakecalls is described as masquerading as banking apps, app identity validation should include package name, icon/name similarity, installation source, signing/certificate reputation where available, requested permissions, runtime permission use, and network behavior. IR teams should be prepared to preserve mobile app metadata, permission state, call/SMS/contact access evidence, and network indicators from the affected device or MDM/mobile security tooling.
Likely telemetry
- Android application inventory and installation source records
- Application package name, displayed app name, icon, signing/certificate metadata, and version details
- Android permission requests and runtime permission grants, especially RECORD_AUDIO, phone-call permissions, location permissions, contacts, call log, SMS, camera, and storage-related access
- Mobile device management or mobile threat defense alerts for suspicious banking-app impersonation or excessive permissions
- Call activity, call forwarding/blocking/answering behavior where available to the organization
Detection direction
- Do not rely on a single IOC because the supplied ATT&CK object has no official detection guidance; validate behavior-based coverage mapped to the related techniques.
- Tune for Android apps that combine sensitive permissions with banking-app impersonation indicators, such as matching or approximating legitimate names, icons, package locations, or branding.
- Correlate permission grants with actual use: call control plus microphone/audio access, call log/contact/SMS collection, location access, local data access, and outbound network communication is more meaningful than any one permission alone.
- Account for false positives from legitimate banking, communication, accessibility, or device-management applications; require context such as installation source, signing identity, user expectation, and enterprise allowlists.
- Confirm whether SOC workflows ingest mobile telemetry at all; a common blind spot is assuming EDR/network controls cover employee or customer Android activity when mobile-specific logs are absent.
Mitigation priorities
- Establish or validate Android app governance: approved app sources, enterprise allowlisting where appropriate, and review of apps that imitate trusted banking or business applications.
- Use mobile device management or equivalent controls to inventory installed apps, inspect risky permissions, and support rapid removal or quarantine of suspicious applications.
- Educate users and help desks to treat unexpected banking-call behavior, unusual permission prompts, or app impersonation as reportable security events.
- Harden identity and fraud workflows so phone-call interactions are not the sole trust anchor for sensitive transactions or account recovery.
- Prepare mobile IR procedures for evidence preservation, device isolation, app removal, credential reset decisions, and review of exposed SMS, contacts, call logs, files, and location data.
Analyst notes and limits
The most decision-relevant detail is the combination of banking-app masquerade and call interception/dialogue capability. The relationship set broadens the defensive lens beyond calls to include audio, video, location, local data, call logs, contacts, SMS, file deletion, exfiltration over C2, and matching legitimate names or locations. This should drive validation of mobile visibility and fraud-response readiness rather than a narrow malware-signature exercise.
This take is limited to the supplied MITRE ATT&CK fields, one external reference, and listed relationships. ATT&CK does not provide official detection text, aliases, labels, or tactics for this object in the supplied data. Local conclusions about exposure, active exploitation, indicators, affected users, and control effectiveness require environment-specific mobile telemetry and incident evidence.
Fakecalls
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1533 | Data from Local System | Fakecalls can access and exfiltrate files, such as photos or video.Citationkaspersky_fakecalls_0422 |
| Mobile | T1636.002 | Call Log Sub-technique | Fakecalls can access the device’s call log.Citationkaspersky_fakecalls_0422 |
| Mobile | T1512 | Video Capture | Fakecalls can request camera permissions.Citationkaspersky_fakecalls_0422 |
| Mobile | T1430 | Location Tracking | Fakecalls can access a device’s location.Citationkaspersky_fakecalls_0422 |
| Mobile | T1636.003 | Contact List Sub-technique | Fakecalls can copy and exfiltrate a device’s contact list.Citationkaspersky_fakecalls_0422 |
| Mobile | T1429 | Audio Capture | Fakecalls can turn on a device’s microphone to capture audio.Citationkaspersky_fakecalls_0422 |
| Mobile | T1636.004 | SMS Messages Sub-technique | Fakecalls can access text message history.Citationkaspersky_fakecalls_0422 |
| Mobile | T1616 | Call Control | Fakecalls can intercept and imitate phone conversations by breaking the connection and displaying a fake call screen. It can also make outgoing calls and spoof incoming calls.Citationkaspersky_fakecalls_0422 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Fakecalls has masqueraded as popular Korean banking apps.Citationkaspersky_fakecalls_0422 |
| Mobile | T1646 | Exfiltration Over C2 Channel | Fakecalls can send exfiltrated data back to the C2 server.Citationkaspersky_fakecalls_0422 |
| Mobile | T1630.002 | File Deletion Sub-technique | Fakecalls can manipulate a device’s call log, including deleting incoming calls.Citationkaspersky_fakecalls_0422 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cbd8689f16cb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
kaspersky_fakecalls_0422
Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.
Open source URL -
[2]
mitre-attack S1080Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.