Cybercriminals are now using an updated version of Android malware, dubbed “FakeCall,” to take over phone dialers and intercept calls made to banks, according to a report from mobile security platform Zimperium.

Kaspersky first reported the malware in 2022. It mimicked banking apps and let users make calls through them. The attackers overlaid the bank’s actual number on victims’ screens and impersonated bank employees to make the calls more believable to extract sensitive information.

The updated version of the malware takes the scheme a step further. “The attack typically begins when victims download an APK file onto an Android mobile device through a phishing attack,” malware researcher Fernando Ortega explains. Users will be unaware of the takeover until they uninstall the malicious app, he adds.

During installation, it asks the user to set itself as the default calling app. Once permitted, the malware gains significant control via Android’s accessibility service and oversees all incoming and outgoing calls. If a user tries to call the bank, it reroutes the call to the attacker’s number.

According to the new research, the malware has received a few other upgrades as well. It can now monitor the vulnerable device’s Bluetooth status and screen activity and see the data on the screen. It can also potentially grant device permissions to apps without user consent and give attackers remote device control.