The notorious Android Banking Trojan has recently added ransomware functionality to steal confidential data and user block files at the same time it has been changed to steal the credentials of other Uber and booking applications.
Security researchers at Kaspersky Lab have discovered a new Trojan called Trojan variant Faketoken which now has the ability to detect and record calls to a device and display infected overlays in the taxi booking application to steal banking information.
Nicknamed Faketoken.q, the new variant of Android Banking Trojan is distributed via e-mail as its attack vector, prompting users to download an image file that downloads the malware.
Android Banking Trojan Spy in Phone Conversations
Once downloaded, the malware will install the necessary forms and the main payload, which hides the shortcut icon and begins to monitor everything – from every call to start applications – happens on the infected Android device.
When certain phone numbers are made or received on the victim’s device calls, the malware begins to record the conversations, and send the recordings to the attacker’s server.
In addition, Faketoken.q also controls which applications the smartphone owner is using and when it detects the launch of an application whose interface can simulate the Trojan immediately overlaps the application with a fake user interface.
Android Banking Trojan scans the overlay function to steal credit card details.
To achieve this, Android Banking Trojan uses the same standard Android feature that is used by a set of legitimate applications, such as Facebook Messenger, window managers, and other applications, to display screen overlays on top of all other applications.
The fake user interface requires victims to enter data relating to payment cards, including the bank verification code, which can then be used by the attackers to initiate fraudulent transactions.
Faketoken.q can overlay a large number of applications for mobile banks and various applications, such as:
- Android Pay
- Google Play Store
- Requests for payment of traffic fines
- Applications to book flights and hotel rooms
- Request taxi reservation
Because scammers require an SMS code sent by the bank to authorize a transaction, the malicious program steals the SMS codes upon arrival and forwards them to the command and control server (C & C) of the attackers during an attack with success.
According to the researchers, Faketoken.q is designed to indicate to Russian users, using the Russian language user interface.
Ways to protect against these Android Banking Trojan
The easiest way to avoid being victimized by such banks of furniture banks is to avoid downloading applications through the links provided in the email (s) or any other app store.
You can also go to Settings → Security and make sure the “Unknown sources” option is disabled to block the installation of applications from unknown sources.
It’s important to verify the permissions of the app before installing apps, even if they are downloaded from official Google Play. If you find an application that requires more than you want, do not install it.
It is always a good idea to install a reputed vendor’s antivirus application that can detect and block malware before they can infect your device and keep your system and applications up to date.