The Riltok banking trojan, originally intended to target Russians, has, after a few modifications, set its sights on the European market.
The malware has more recently diverted four percent of its traffic to France and even smaller percentages to Italy, Ukraine and the U.K., although 90 percent of its victims in Russia, according to a June 25 Kaspersky blog post.
Riltok is distributed from infected devices via SMS, disguised as apps for popular free ad services in Russia. Victims typically receive an SMS containing a malicious link pointing to a fake website that appears to be a popular free ad service.
They are then prompted to download a “new version” of the mobile app, which is actually the trojan. To install the phony app, a victim must permit the installation of apps from unknown sources in the device settings.
Riltok asks the user for permission to use special features in AccessibilityService and if the user ignores or declines the request, the window keeps opening ad infinitum.
Once the malware has obtained the desired rights, the trojan sets itself as the default SMS app (by independently clicking Yes in AccessibilityService) before vanishing from the device screen.
Once a device is infected, the malware actively communicates with its Command and Control servers and receives various commands.
Researchers noted the malware sends data about the device including the IMEI, phone number, country, mobile operator, phone model, availability of root rights, OS version, list of contacts, list of installed apps and incoming SMS.
Some of the operations found in the malware’s library include:
- Get address of cybercriminal C&C server
- Get configuration file with web injects from C&C, as well as default list of injects
- Scan for app package names that generated AccessibilityEvent events in the list of known banking/antivirus/other popular apps
- Set malware as default SMS app
- Get address of the phishing page that opens when the app runs, and others
To prevent infection researchers recommend users never follow suspicious links sent via SMS, only install apps from official sources and check whatever permissions are granted during installation.