A modified version of notorious mobile banking Trojan “Faketoken” has resurfaced which is able to steal credentials from popular taxi applications and ride-sharing apps, Moscow-based cyber security firm Kaspersky Lab said on Friday.
A year-old piece of Android malware poses a huge threat to anyone who stores bank card information for in-app purchases.
According to Kaspersky Lab, in the past year or so since its discovery, Faketoken has worked its way up from primitive bankbot capabilities like intercepting mTAN codes, to being able to encrypt files and eavesdrop on communications. While the modifications continue, its focus is spreading too, from low-level nuisance to serious security threat, to the point where it can overlay about apps to capture user credentials.
“The new version of ‘Faketoken’ performs live tracking of apps and, when the user runs a specified app, overlays this with its phishing window to steal the bank card details of the victim,” Kaspersky Lab said in a statement.
The malware, which likely sneaks onto smartphones through bulk SMS messages with a prompt to download some pictures, begins by monitoring all of the calls and apps the user launches. Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it back to command and control. By the same token, when a user launches a targeted application, Faketoken substitutes its UI with a fake (but identical) one, prompting the victim to enter his or her bank card data.
The trojan virus has an identical interface, with the same colour schemes and logos, which creates an instant and completely invisible overlay. The malware puts screen overlays on an estimated 2,000 apps, including taxi booking, hotels and flights, to fake payment information windows. Kaspersky hasn’t named the affected apps yet.
“The fact that cybercriminals have expanded their activities from financial applications to other areas, including taxi and ride-sharing services, means that the developers of these services may want to start paying more attention to the protection of their users,” said Viktor Chebyshev, security expert at Kaspersky Lab.
Kaspersky labs reports that Faketoken has been mainly spotted in Russia but also notes that its evolution has kept pace with its spread around the globe.