Mobile banking malware can encrypt data for ransom, targets 2,000+ apps – Kaspersky Lab
A modification to mobile banking app Faketoken can encrypt user data to extort a ransom from the user, according to experts at Kaspersky Lab.
More than 16,000 people in 27 countries have fallen victim to the modification, which targets more than 2,000 Android financial apps.
The mobile banking trojan, referred to as a modification of Trojan-Banker.AndroidOS.Faketoken by Kaspsersky senior malware analyst Roman Unuchek, is distributed "under the guise of various programs and games, often imitating Adobe Flash Player," according to the cybersecurity firm.
Unuchek went on to say that the trojan is capable of interacting with operating system protection mechanisms. For instance, it requests rights to overlay other apps or the right to be a default SMS application.
"This allows Faketoken to steal user data even in the latest versions of Android," according to Unuchek.
Once the trojan becomes active, it requests administrator rights. If the user denies the request, it repeatedly refreshes the window asking for the rights. Left with little other choice, the victim finally agrees.
From there, Faketoken starts requesting permissions including access to the user's text messages, files, and contacts, as well as the ability to send text messages and make calls. Once again, those requests are repeatedly displayed until the user finally agrees to provide access.
It also requests the ability to display windows on top of other applications, which is necessary to block the device and steal user data by displaying phishing pages.
The final request is for the right to be the default SMS application, allowing Faketoken to secretly steal text messages on the latest versions of Android.
Once the "preparatory stage" is over, the trojan begins stealing user data. It downloads a database from the server containing phrases in 77 languages for different device localizations.
Using a phrase from the database, depending on the language of the user, the trojan will display various phishing messages. If a message is clicked, the trojan opens a phishing page aimed at stealing passwords from Gmail accounts. It also overlays the original Gmail app with one appearing to have the same purpose.
But it's not just passwords that are targeted by the trojan. It also overlays the Google Play app with a phishing window aimed at stealing debit and credit card details.
"The trojan can also get the list of applications for attack and an HTML template page to generate phishing pages for the attacked applications from the C&C server. In our case, Faketoken received a list of 2,249 financial applications from around the world," Unuchek wrote.
The cybersecurity firm also provided a detailed list of other things the trojan is capable of, including blocking the device in order to extort money for unblocking it.
Once a relevant command is received, the trojan creates a list of files located on the device – including the external memory and memory card and encrypts them. The trojan receives the encryption key and initialization vector from the command and control (C&C) server.
“The AES symmetric encryption algorithm is used, which leaves the user with a chance of decrypting files without paying a ransom,” Unuchek noted.