The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well.
Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device’s calls and display overlays on top of taxi booking apps to steal banking information.
Dubbed Faketoken.q, the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware.
Malware Spy On Telephonic Conversations
Once downloaded, the malware installs the necessary modules and the main payload, which hides its shortcut icon and begins monitoring everything—from every calls to launched apps—that happens on the infected Android device.
When calls are made to or received from certain phone numbers on the victim’s device, the malware begins to record those conversations and sends the recordings to the attacker’s server.
Moreover, Faketoken.q also checks which apps the smartphone owner is using and when detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with a fake user interface.
Malware Exploits Overlay Feature to Steal Credit Card Details
In order to achieve this, the Trojan uses the same standard Android feature that is being employed by a whole bunch of legitimate apps, such as Facebook Messenger, window managers, and other apps, to show screen overlays on top of all other apps.
The fake user interface prompts victims to enter his or her payment card data, including the bank’s verification code, which can later be used by attackers to initiate fraudulent transactions.
Faketoken.q is capable of overlaying a large number of mobile banking apps as well as miscellaneous applications, such as:
- Android Pay
- Google Play Store
- Apps for paying traffic tickets
- Apps for booking flights and hotel rooms
- Apps for booking taxis
Since fraudsters require an SMS code sent by the bank to authorise a transaction, the malware steals incoming SMS message codes and forward them to the attackers command-and-control (C&C) server for a successful attack.
According to the researchers, Faketoken.q has been designed to target Russian-speaking users, as it uses the Russian language on the user interface.
Ways to Protect Against Such Android Banking Trojans
The easiest way to prevent yourself being a victim of such mobile banking Trojans is to avoid downloading apps via links provided in messages or emails, or any third-party app store.
You can also go to Settings → Security and make sure “Unknown sources” option is turned off in order to block installation of apps from unknown sources.
Most importantly, verify app permissions before installing apps, even if it is downloaded from official Google Play. If you find any app asking more than what it is meant for, just do not install it.
It’s always a good idea to install an antivirus app from a reputed vendor that can detect and block such malware before it can infect your device, and always keep your system and apps up-to-date.