Voice Phishing Syndicates Unmasked: An In-Depth Investigation and Exposure

Voice phishing groups in South Korea operate with complex organizational structures, including separate teams for call centers, administration, and money laundering

Groups commonly impersonate law enforcement and financial institutions, with over 50% masquerading as law enforcement and 20% as banks

Attackers use malicious APKs (particularly the “Secret Code” family) to gain control over victims’ phones, enabling call monitoring, camera access, and data theft

The number of victims has decreased but per-victim losses have increased, suggesting more targeted and sophisticated attacks

Groups utilize Firebase for command and control (C&C) infrastructure, with over 130 C&C servers identified mostly in Hong Kong, Japan, and Asia

Attackers employ sophisticated encryption methods, primarily AES, to protect their malicious code and communications

Voice phishing apps often disguise themselves as legitimate security or anti-phishing applications from law enforcement

Groups use fake documents, official-looking websites, and psychological manipulation to convince targets of legitimacy

Infrastructure is shared among different criminal groups, with specific providers supplying malware and phishing resources

Attack methods have evolved to include messenger phishing, fake loan schemes, and institutional impersonation tactics