Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

App “mToken” intercepts texts, spams mobile devices to further campaign


After analyzing the control panel for a malicious app called mToken, researchers found that miscreants spreading the Android malware had intercepted at least 25,000 text messages from more than 2,000 infected devices.

According to researchers at RSA's FraudAction Group, mToken targets users already infected with PC-based banking malware.

Once compromised individuals visit banking sites, attackers use HTML injection to display spurious pages to victims, which ask the user for their cell phone number and other mobile data. With the number, saboteurs are able to send text messages to their targets that include links to the mToken install.

Bank customers around the globe, including those in the Middle East, Asia and Australia, have been targeted by the mToken campaign. So far, customers of one U.S. bank have also been the target of scammers, RSA found.

On Thursday, Daniel Cohen, the head of knowledge delivery and business development for RSA's FraudAction Group, published a blog post about the operation, writing that the mToken campaign was “resilient” in that the botnet used two communication channels: HTTP and SMS.

“Having two separate communication channels (to the bots) means that any takedown effort must affect both points simultaneously,” Cohen wrote.

Once victims install the malicious app, saboteurs have the ability to sniff out all incoming and outgoing text messages, and to also send out SMS messages to third parties from infected phones. With the latter capability, attackers can grow the mToken botnet by spamming other devices with mToken download links.

In addition, the botnet's spamming feature could also give scammers the ability to send out premium-rate SMS.

In a Thursday follow-up interview with, Cohen said that attackers appear to be adding a function to mToken that can steal Android users' contacts.

“There was an uncompleted function to steal the address book from the phone,” Cohen said.

Often, popular banking malware, like Zeus or Citadel, is used as the “entry point” for attackers who also seek to spread mToken, he added. 

While MToken is not new malware, RSA was able to analyze its control panel and operations for the first time.

Via his blog post, Cohen said that the research provides a glimpse of the “behind-the-scenes” activities of the mobile botnet, along with its resilience.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.