The Faketoken malware is not such an old dog, and now has learned some new tricks for stealing bank card information. It infects Android devices—and, straying from its previous MO of targeting banking applications—can now spoof taxi and ride-share apps, among other things.
According to Kaspersky Lab, in the past year or so since its discovery, Faketoken has worked its way up from primitive bankbot capabilities like intercepting mTAN codes, to being able to encrypt files and eavesdrop on communications. While the modifications continue, its focus is spreading too, to the point where it can overlay about 2,000 financial apps to capture user credentials.
Now, Kaspersky has detected a new variant with a mechanism for attacking apps for booking taxis, hotels and flights, and for paying traffic tickets.
The malware, which likely sneaks onto smartphones through bulk SMS messages with a prompt to download some pictures, begins by monitoring all of the calls and apps the user launches. Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it back to command and control. By the same token, when a user launches a targeted application, Faketoken substitutes its UI with a fake (but identical) one, prompting the victim to enter his or her bank card data.
Also, to get around two-factor authentication, the malware can steal incoming SMS messages and forwarding them to command-and-control servers too.
As for how widespread this is, the good news is that this version could represent a trial only.
“To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions,” researchers said in a posting. “According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries.”
Obviously, users should avoid downloading anything from unknown senders of text messages, and beware unofficial app stores.