In South Korea, voice phishing has been proliferating with the advent of voice phishing apps: the number of annual victims had risen to 34,527 in 2020, representing financial losses of approximately 598 million USD. However, the voice phishing functionalities that these abusive apps implement are largely understudied. To this end, we analyze 1,017 voice phishing apps and reveal new phishing functionalities: outgoing call redirection, call screen overlay, and fake call voice. We find that call redirection that changes the intended recipients of victims' outgoing calls plays a critical role in facilitating voice phishing; our user study shows that 87% of the participants did not notice that their intended recipients were changed when call redirection occurred. We further investigate implementations of these fatal functionalities to distinguish their malicious behaviors from their corresponding behaviors in benign apps. We then propose HearMeOut, an Android system-level service that detects phishing behaviors that phishing apps conduct in runtime and blocks the detected behaviors. HearMeOut achieves high accuracy with no false positives or negatives in classifying phishing behaviors while exhibiting an unnoticeable latency of 0.36 ms on average. Our user study demonstrates that HearMeOut is able to prevent 100% of participants from being phished by providing active warnings. Our work facilitates a better understanding of recent voice phishing and proposes practical mitigation with recommendations for Android system changes.
CCS CONCEPTS• Security and privacy → Mobile and wireless security; Malware and its mitigation; Intrusion/anomaly detection and malware mitigation; Domain-specific security and privacy architectures.