According to analysis by Carlos Castillo, malware researcher at McAfee Labs, a new version of the Android/FakeToken malware goes back to basics: it’s distributed through phishing emails pretending to be sent by the targeted bank. This malware attack simulates the real internet banking site by asking for confidential information like personal email and phone number, which is then used to initiate the mobile attack.
And, unlike previous Trojan bankers for Android such as the first FakeToken version and Zitmo/Spitmo, both authentication factors (Internet password and mTAN) are stolen directly from the mobile device.
To boot, FakeToken has other distribution tricks up its sleeve. Another technique used to distribute this malware includes injecting web pages from infected computers, simulating a fake security app that presumably avoids the interception of SMS messages by generating a unique digital certificate based on the phone number of the device. The fake web page provides a URL that is intended to be entered into the mobile browser, prompting the user to download/install the malware on the mobile device. The malicious app has the look and feel of security software for protecting SMS messages received by the customer, and thus avoids suspicion.
A third version injects a phishing web page that redirects users to a website pretending to be a security vendor that offers the faux security app, which cybercriminals are calling the “eBanking SMS Guard,” as protection, it says, against “SMS message interception and mobile phone SIM card cloning.”
“Once the application is downloaded and the user tries to install it, the malware requests almost the same permissions as [a known previous version of FakeToken], but the application doesn’t access the contact list,” explained Castillo. “This change was likely made to avoid raising suspicions.”
“Despite having the largest share of the smartphone market, according to stats released by Gartner, the Android platform continues to be the most vulnerable, with new vulnerabilities being discovered daily,” said Castillo.
When the user executes the application, the malware shows a WebView component displaying an HTML/JavaScript web page that pretends to be an mToken app and not the “SMS Guard” used in the name. Instead of asking the user to enter the first factor of authentication, it just shows the fake mToken, which suspiciously never changes.
At the same time, the malware sends to a specific number an SMS message with the identifier (IMEI) of the affected device. The same identifier, along with others like the IMSI and phone number, are also sent to a remote server to register the infected device in the control server of the attacker. From this point, all SMS content received by the infected device is sent to a remote server and to the phone number specified in the configuration file inside the original APK file.
“Taking into account this new version of FakeToken and the recent version of Zitmo, it’s clear that Android Trojan bankers are becoming more prevalent,” Castillo said. “This is partially due to the increased adoption of mobile banking, as well as the constant evolution of cybercriminal methods. By targeting different financial entities and changing their methods, cybercriminal attacks appear more credible (by removing excess functions) to victims and more effective in getting mTANs by intercepting all the SMS messages received by the affected user.”