Mobile banking malware can encrypt data for ransom, targets 2,000+ apps – Kaspersky Lab
A modification to mobile banking app Faketoken can encrypt user data to extort a ransom from the user, according to experts at Kaspersky Lab.
More than 16,000 people in 27 countries have fallen victim to the modification, which targets more than 2,000 Android financial apps.
The mobile banking trojan, referred to as a modification of Trojan-Banker.AndroidOS.Faketoken by Kaspsersky senior malware analyst Roman Unuchek, is distributed “under the guise of various programs and games, often imitating Adobe Flash Player,” according to the cybersecurity firm.
Unuchek went on to say that the trojan is capable of interacting with operating system protection mechanisms. For instance, it requests rights to overlay other apps or the right to be a default SMS application.
“This allows Faketoken to steal user data even in the latest versions of Android,” according to Unuchek.
Once the trojan becomes active, it requests administrator rights. If the user denies the request, it repeatedly refreshes the window asking for the rights. Left with little other choice, the victim finally agrees.
From there, Faketoken starts requesting permissions including access to the user’s text messages, files, and contacts, as well as the ability to send text messages and make calls. Once again, those requests are repeatedly displayed until the user finally agrees to provide access.
It also requests the ability to display windows on top of other applications, which is necessary to block the device and steal user data by displaying phishing pages.
The final request is for the right to be the default SMS application, allowing Faketoken to secretly steal text messages on the latest versions of Android.
Once the “preparatory stage” is over, the trojan begins stealing user data. It downloads a database from the server containing phrases in 77 languages for different device localizations.