Anatomy of the SecretCalls Voice Phishing Syndicate

TLDR: South Korean voice phishing syndicates are using a sophisticated malware family called SecretCalls to perform real-time call redirection and surveillance. By impersonating law enforcement and financial institutions, these attackers use custom Android APKs to intercept calls and exfiltrate sensitive data. This research highlights the need for automated analysis of malicious APKs to track evolving command-and-control infrastructure and protect users from high-stakes social engineering.

Voice phishing, or vishing, has evolved from simple cold-calling scams into a highly organized, tech-driven industry. While many security researchers focus on web-based exploits or cloud misconfigurations, the reality for millions of mobile users is a persistent, targeted threat that bypasses traditional endpoint security. The SecretCalls malware family represents a significant shift in this space, moving beyond basic credential theft to full-blown call interception and real-time surveillance.

The Mechanics of SecretCalls

At its core, SecretCalls is a multi-stage Android malware designed to establish complete control over a victim's device. The attack flow typically begins with a social engineering hook, often via SMS or a direct phone call where the attacker impersonates a government official or bank employee. Once the victim is sufficiently panicked, they are coerced into installing a malicious APK.

The malware uses a two-stage file structure to evade static analysis. The first stage, which the researchers call the "loader," acts as a wrapper. It contains the core malicious payload, often hidden within the assets directory as an encrypted class file. This file is decrypted and loaded into memory at runtime, making it difficult for standard signature-based scanners to detect the malicious intent before the code is already executing.

One of the most dangerous features of SecretCalls is its ability to perform call redirection. When a victim attempts to call a legitimate bank or law enforcement number, the malware intercepts the intent, cancels the original call, and initiates a new connection to the attacker's call center. Because the malware overlays a fake UI on top of the legitimate phone app, the victim remains unaware that they are speaking to a fraudster rather than a bank representative.

Technical Evasion and C2 Infrastructure

Attackers behind SecretCalls are not just writing code; they are managing a complex, distributed infrastructure. The researchers identified that these syndicates use Firebase Cloud Messaging (FCM) to push commands to infected devices. By leveraging a legitimate service, the attackers ensure their C2 traffic blends in with normal application notifications, complicating network-based detection.

The malware also employs anti-decompilation techniques to frustrate reverse engineering. For instance, the researchers noted that the attackers manipulate the ZIP header of the APK file, specifically the compression method and timestamp fields. By setting these to non-standard values, they can break many automated analysis tools that expect a perfectly formatted ZIP file. Tools like apk_cure are essential for fixing these headers manually, allowing researchers to unpack the payload and inspect the underlying DEX files.

The C2 infrastructure itself is highly dynamic. The malware retrieves its configuration from external sources, including Reddit profiles, which the attackers update regularly to point to new C2 servers. This decentralization makes it difficult to take down the entire operation with a single blocklist. The researchers found over 130 C2 servers, primarily located in Hong Kong, Japan, and South Korea, demonstrating a clear regional focus for these campaigns.

Pentesting and Research Implications

For a penetration tester or a bug bounty hunter, the primary takeaway is the importance of understanding the full lifecycle of a mobile attack. If you are conducting a mobile application security assessment, do not just look for hardcoded API keys or insecure storage. You must analyze how the application handles inter-process communication and whether it has the capability to intercept system-level intents.

The impact of this malware falls squarely under OWASP Mobile Top 10 categories, specifically those related to insecure authentication and improper platform usage. When testing, look for applications that request excessive permissions, such as CALL_PHONE or PROCESS_OUTGOING_CALLS, without a clear, legitimate business case. If an application is designed to "detect" phishing, yet requires full access to your call logs and the ability to redirect calls, it should be treated as a high-risk finding.

Automated Analysis as a Defense

Manual analysis of 64,000 APK samples is impossible. The researchers built an automated pipeline that extracts key indicators of compromise (IoCs), such as C2 endpoints, phone numbers, and decryption keys, directly from the APKs. This level of automation is the only way to keep pace with the syndicates. By identifying the patterns in how these apps are built—such as the specific native libraries used for decryption—defenders can create more resilient detection rules that don't rely on static file hashes.

Security researchers should prioritize the development of automated extraction tools that can handle these multi-stage payloads. If you are working in a SOC or a threat intelligence team, focus on the behavioral patterns of the C2 communication rather than the static properties of the APK. The attackers will always change their file hashes and their C2 domains, but their reliance on specific communication protocols and infrastructure providers remains a constant that can be exploited for better defense.

The fight against these syndicates is an arms race. As long as the attackers can easily spin up new infrastructure and distribute malicious apps, the burden falls on researchers to automate the discovery and neutralization of these threats. Keep digging into the loaders, keep automating the extraction of the C2 configs, and keep sharing the IoCs. The more we expose their infrastructure, the more expensive and difficult we make their operations.