The silence of the phishers: Early-stage voice phishing detection with runtime permission requests

Abstract

Voice phishing (vishing) is a sophisticated phone scam that causes significant financial harm to victims. Recently, vishing attacks have become more effective due to the use of vishing malware installed on victims’ devices. Conventional anti-malware solutions, which rely on static analysis of app code and permissions at install time, are circumvented by vishing malware that requests additional code and permissions after installation. We introduce VishielDroid, a novel system for real-time detection of vishing malware on Android devices. By dynamically tracking apps’ runtime permission requests, a critical indicator of malicious behavior specific to vishing malware, VishielDroid outperforms state-of-the-art systems in detection accuracy. Using only 98 features, VishielDroid achieved an F1-score of 99.78% with systematic testing, surpassing other solutions that achieve lower F1-scores (69.27% to 80.25%). The system demonstrated superior robustness across various scenarios: maintaining high performance with reduced training data and imbalanced datasets, achieving a 99.57% F1-score with a reduced feature set despite evasion attempts, and operating effectively across Android versions 8.1 to 12 with minimal modifications. We validated VishielDroid’s practicality through deployment on real devices, confirming marginal memory and battery consumption overheads.