PSA: FakeCall Malware Affecting Android Phones

A new version of the FakeCall malware for Android is actively targeting users by hijacking outbound calls meant for financial institutions, redirecting them to fraudulent numbers controlled by attackers. This malware impersonates customer service functions, displaying trusted names and contact information to trick victims into sharing sensitive data.

What is happening?

In recent years, a new form of Android malware known as “FakeCall” has emerged, targeting unsuspecting smartphone users worldwide. FakeCall is a sophisticated malware that tricks users into thinking they’re communicating directly with their financial institution. Once installed, it can hijack outgoing calls so that even if an individual dials their bank’s legitimate number, the malware redirects the call to fraudsters posing as bank representatives. This redirection occurs without the individual’s knowledge, creating a highly deceptive interaction that feels authentic.

Once installed on a victim’s device, FakeCall can:

• Intercept and manipulate outgoing calls: When an individual tries to contact their bank, FakeCall secretly reroutes the call to a phone number controlled by attackers, creating the illusion that they’re speaking with a trusted institution.

• Display a fake call interface that mimics the legitimate Android dialer, using trusted names and contact information to heighten deception.

• Record live audio, monitor messages, and even capture video without the victim’s awareness, enabling attackers to gather sensitive information throughout the conversation.

Key behaviors of FakeCall malware:

• FakeCall typically infiltrates devices via malicious apps that appear identical to legitimate banking apps. These apps are often found in unofficial app stores, on fake websites, or through phishing links.

• Once installed, the malware takes control of phone functions, initiating fake calls that appear to come from legitimate customer service numbers. The malware can intercept and redirect calls intended for banks to fraudulent phone numbers, displaying the caller ID of well-known banks or service centers to make the calls appear trustworthy.

What should you do if you encounter fakecall?

1. Stay alert for red flags: If you have a suspicious customer service interaction or unexpected requests for sensitive information—even if you initiated the contact—you may have encountered FakeCall.

2. Educate yourself: Only download apps from trusted sources. Avoid sharing sensitive information over the phone. Only use secure channels—such as online account portals—for sensitive communication whenever possible.

3. Take quick action if you think you’ve encountered FakeCall or another scam:

   • Uninstall suspicious apps that may contain malware. Change passwords on all banking and sensitive accounts.

   • Monitor accounts closely for unauthorized transactions.

   • Contact your financial institutions to report any suspected compromise.

4. Do your best to stay vigilant against fraud!

The information in this material is intended for the recipient’s background information and use only. It is provided in good faith and without any warranty or representation as to accuracy or completeness. Information and opinions presented in this material have been obtained or derived from sources believed by Dimensional to be reliable, and Dimensional has reasonable grounds to believe that all factual information herein is true as at the date of this material. It does not constitute investment advice, a recommendation, or an offer of any services or products for sale and is not intended to provide a sufficient basis on which to make an investment decision. Before acting on any information in this document, you should consider whether it is appropriate for your particular circumstances and, if appropriate, seek professional advice. It is the responsibility of any persons wishing to make a purchase to inform themselves of and observe all applicable laws and regulations. Unauthorized reproduction or transmission of this material is strictly prohibited. Dimensional accepts no responsibility for loss arising from the use of the information contained herein.

This material is not directed at any person in any jurisdiction where the availability of this material is prohibited or would subject Dimensional or its products or services to any registration, licensing, or other such legal requirements within the jurisdiction. “Dimensional” refers to the Dimensional separate but affiliated entities generally, rather than to one particular entity. These entities are Dimensional Fund Advisors LP, Dimensional Fund Advisors Ltd., Dimensional Ireland Limited, DFA Australia Limited, Dimensional Fund Advisors Canada ULC, Dimensional Fund Advisors Pte. Ltd., Dimensional Japan Ltd., and Dimensional Hong Kong Limited. Dimensional Hong Kong Limited is licensed by the Securities and Futures Commission to conduct Type 1 (dealing in securities) regulated activities only and does not provide asset management services.

RISKS: Investments involve risks. The investment return and principal value of an investment may fluctuate so that an investor’s shares, when redeemed, may be worth more or less than their original value. Past performance is not a guarantee of future results. There is no guarantee strategies will be successful.