App "mToken" intercepts texts, spams mobile devices to further campaign

Share this article:
A malicious app has infected more than 2k mobile devices and intercepted at least 25k SMS messages.
A malicious app has infected more than 2k mobile devices and intercepted at least 25k SMS messages.

After analyzing the control panel for a malicious app called mToken, researchers found that miscreants spreading the Android malware had intercepted at least 25,000 text messages from more than 2,000 infected devices.

According to researchers at RSA's FraudAction Group, mToken targets users already infected with PC-based banking malware.

Once compromised individuals visit banking sites, attackers use HTML injection to display spurious pages to victims, which ask the user for their cell phone number and other mobile data. With the number, saboteurs are able to send text messages to their targets that include links to the mToken install.

Bank customers around the globe, including those in the Middle East, Asia and Australia, have been targeted by the mToken campaign. So far, customers of one U.S. bank have also been the target of scammers, RSA found.

On Thursday, Daniel Cohen, the head of knowledge delivery and business development for RSA's FraudAction Group, published a blog post about the operation, writing that the mToken campaign was “resilient” in that the botnet used two communication channels: HTTP and SMS.

“Having two separate communication channels (to the bots) means that any takedown effort must affect both points simultaneously,” Cohen wrote.

Once victims install the malicious app, saboteurs have the ability to sniff out all incoming and outgoing text messages, and to also send out SMS messages to third parties from infected phones. With the latter capability, attackers can grow the mToken botnet by spamming other devices with mToken download links.

In addition, the botnet's spamming feature could also give scammers the ability to send out premium-rate SMS.

In a Thursday follow-up interview with SCMagazine.com, Cohen said that attackers appear to be adding a function to mToken that can steal Android users' contacts.

“There was an uncompleted function to steal the address book from the phone,” Cohen said.

Often, popular banking malware, like Zeus or Citadel, is used as the “entry point” for attackers who also seek to spread mToken, he added. 

While MToken is not new malware, RSA was able to analyze its control panel and operations for the first time.

Via his blog post, Cohen said that the research provides a glimpse of the “behind-the-scenes” activities of the mobile botnet, along with its resilience.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

VBA malware on rise, templates make it easier to write code

VBA malware on rise, templates make it easier ...

Researchers at SophosLabs found an uptick in VBA samples in July.

Analysts spot 'Critolock,' ransomware claims to be CryptoLocker

Trend Micro noted several differences between Critolock and CryptoLocker, however.

Citadel used in APT attacks against petrochemical firms

Citadel used in APT attacks against petrochemical firms

In an interesting twist, financial malware Citadel was used to infect firms outside of the finance sector via APT attacks, Trusteer found.