✅ Report Title: Detailed Analysis of HeadCalls: Impersonation of Korean Public and Financial Institutions
S2W Threat Intelligence Center TALON identified a new type of voice phishing malware targeting domestic mobile users beginning on August 21, 2025, and conducted an analysis.
✅ Executive Summary:
- Voice phishing groups build phishing pages and develop Android malware to induce victims to access the malicious site and install the malicious application for financial theft.
- The core capability of the malware is forced incoming and outgoing call forwarding, enabling calls made to investigative or financial institutions to be forcibly forwarded to the attacker, and calls from these institutions to the victim to also be forcibly forwarded to the attacker.
- S2W Threat Intelligence Center TALON identified the newly distributed malware beginning on August 21, 2025, and named it HeadCalls Loader and HeadCalls based on its use of the HEADSETHOOK event to terminate calls when call permissions are not granted.
- The attacker created phishing pages impersonating the Korea Consumer Agency, Korea Inclusive Finance Agency, and multiple financial companies to induce users to download the malicious application.
📌 What Are 'HeadCalls Loader' and 'HeadCalls'
- The application downloaded from the phishing page is HeadCalls Loader, which abuses Accessibility Service to install HeadCalls, grant permissions, and redirect to fake call views without user interaction.
- HeadCalls, executed by the Loader, receives forwarding numbers via socket communication and performs forced call forwarding.
1) About 'HeadCalls Loader'
- The Loader is a malware that drops and installs the internally stored HeadCalls application. Accessibility Service is abused to forcibly execute installation, permission approval, and other interactions that normally require user input.
- When MainActivity is executed for the first time, asset/web/index.html is displayed in a WebView to impersonate the Korea Consumer Agency.
- After required permissions are granted, the Loader attempts to install an additional malicious application that performs the actual voice phishing functions.
2) About 'HeadCalls'
- HeadCalls is forcibly installed by the Loader and executed with all required permissions already granted.
- It performs call forwarding, displays fake dialer and call screens through overlays, and conducts additional malicious activity using socket communication with the C2 server.
- Because the Loader implements forced permission approval through Accessibility Service, all dangerous permissions are accepted without user involvement.
- Key Dangerous Permissions Requested by HeadCalls
- Battery optimization exclusion to prevent background execution from being suspended.
- Notification access for persistence through foreground notifications.
- Overlay permission to render fake dialers or call screens above other applications.
📌 How Forced Call Forwarding and Call Log Manipulation Occur
- Forced call forwarding ensures that calls made to investigative or financial institutions are forcibly forwarded to the attacker and that calls from these institutions to the victim are also forcibly forwarded to the attacker.
- When executed for the first time, the malware requests to be set as the default phone application. Once set, it gains full control over call handling and call log modification, enabling forced forwarding and alteration of call history.
- For detailed information on the forced call forwarding mechanism, please contact us through the link below.
✅ Recommended Threat Detection and Mitigation Actions:
- Recent voice phishing malware uses themes such as registered mail, loan offers, or prosecution case inquiries to induce installation. Users should avoid clicking suspicious links or messages related to postal, loan, or prosecution notices.
🧑💻 Author: S2W TALON
👉 Contact us: https://s2w.inc/en/contact
*The full report is available upon request or with a subscription to the S2W platform.