App "mToken" intercepts texts, spams mobile devices to further campaign

Share this article:
A malicious app has infected more than 2k mobile devices and intercepted at least 25k SMS messages.
A malicious app has infected more than 2k mobile devices and intercepted at least 25k SMS messages.

After analyzing the control panel for a malicious app called mToken, researchers found that miscreants spreading the Android malware had intercepted at least 25,000 text messages from more than 2,000 infected devices.

According to researchers at RSA's FraudAction Group, mToken targets users already infected with PC-based banking malware.

Once compromised individuals visit banking sites, attackers use HTML injection to display spurious pages to victims, which ask the user for their cell phone number and other mobile data. With the number, saboteurs are able to send text messages to their targets that include links to the mToken install.

Bank customers around the globe, including those in the Middle East, Asia and Australia, have been targeted by the mToken campaign. So far, customers of one U.S. bank have also been the target of scammers, RSA found.

On Thursday, Daniel Cohen, the head of knowledge delivery and business development for RSA's FraudAction Group, published a blog post about the operation, writing that the mToken campaign was “resilient” in that the botnet used two communication channels: HTTP and SMS.

“Having two separate communication channels (to the bots) means that any takedown effort must affect both points simultaneously,” Cohen wrote.

Once victims install the malicious app, saboteurs have the ability to sniff out all incoming and outgoing text messages, and to also send out SMS messages to third parties from infected phones. With the latter capability, attackers can grow the mToken botnet by spamming other devices with mToken download links.

In addition, the botnet's spamming feature could also give scammers the ability to send out premium-rate SMS.

In a Thursday follow-up interview with SCMagazine.com, Cohen said that attackers appear to be adding a function to mToken that can steal Android users' contacts.

“There was an uncompleted function to steal the address book from the phone,” Cohen said.

Often, popular banking malware, like Zeus or Citadel, is used as the “entry point” for attackers who also seek to spread mToken, he added. 

While MToken is not new malware, RSA was able to analyze its control panel and operations for the first time.

Via his blog post, Cohen said that the research provides a glimpse of the “behind-the-scenes” activities of the mobile botnet, along with its resilience.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.