Kaspersky Lab warns of new modification of mobile banking Trojan, “Faketoken”
19 Aug 2017
A new modification of notorious mobile banking Trojan Faketoken, which allows criminals to steal credentials through apps like popular taxi and ride-sharing apps, has made a comeback, Moscow-based cybersecurity firm Kaspersky Lab said yesterday.
"The new version of 'Faketoken' performs live tracking of apps and, when the user runs a specified app, overlays this with its phishing window to steal the bank card details of the victim," Kaspersky Lab said in a statement.
The trojan virus comes with an identical interface, with the same colour schemes and logos, which create an instant and completely invisible overlay, as the apps.
"The fact that cybercriminals have expanded their activities from financial applications to other areas, including taxi and ride-sharing services, means that the developers of these services may want to start paying more attention to the protection of their users," said Viktor Chebyshev, security expert at Kaspersky Lab.
"The banking industry is already familiar with fraud schemes and tricks, and its previous response involved the implementation of security technologies in apps that significantly reduced the risk of theft of critical financial data," Chebyshev added.
Kaspersky Lab said, the new version of "Faketoken" mostly targeted Russian users but the geography of attacks could easily be extended in the future.
Faketoken started as a banking trojan that intercepted texts to steal two-factor authentication codes. According to Kashpersky's researchers, the Trojan spreads through SMS text message to potential victims, asking them to download some pictures.
The malware can even intercept SMS messages, meaning it can use the two-factor authentication required by some banks to authorise payments and transfers to the advantage of the criminals.
The researchers write: "To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions. According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries."
