A mobile banking trojan known for using malicious overlays to trick financial app users into giving away their credentials has evolved further to target travel, transportation and traffic ticket payment apps, as well as record phone calls.
According to a Kaspersky Lab Securelist blog post on Thursday, a newly discovered version of the Faketoken Android malware called Faketoken.q monitors an infected device's calls and launched apps. When calls are made to or received from certain numbers, the malware records them and sends the file to the attackers.
Additionally, when certain targeted apps are opened, Faketoken.q will display a fake user interface where victims are encouraged to enter their data, which can later be used to initiate fraudulent transactions. The trojan can even steal incoming SMS codes that banks send to users for security purposes in order to authorize said transactions.
In order to look more credible, the fraudulent app interfaces feature the same color schemes as the genuine app being imitated; however, certain obvious formatting mistakes suggest that the sample Kaspersky analysts observed is still an unfinished test version. The fact that Kaspersky has not seen a large amount of attacks using this trojan supports this theory.
Targeted apps include Android Pay, the Google Play Store, and programs for paying traffic tickets and booking flights, taxis and hotel rooms. A successful attack against any of these apps could be especially damaging, considering that they all give customers the option of linking to a bank card for payment purposes, and in some cases actually require this, Kaspersky notes in its blog post, authored by research development team lead Victor Chebyshev.
Specifically, the malware is focused on Russian-speaking users, as indicated by the use of Russian language on the user interface. (There is also Russian in the code itself.) Additionally, the traffic ticket app that Kaspersky references as a target applies to tickets issued by the Main Directorate for Road Traffic Safety, a division of the Ministry of Internal Affairs of Russia.
Kaspersky analysts suspect that the adversaries behind this campaign are using bulk SMS messages as their attack vector, prompting victims to download a supposed picture file that in reality is the Faketoken.q. The first stage of the trojan is an an obfuscated dropper, which decrypts and launches an encrypted second file containing DAT extensions, which serves as the main payload.
The first known version of Faketoken was discovered over a year ago. Originally, the trojan was designed to intercept transaction authentication numbers during financial transactions and later added malicious overlays for roughly 2,000 financial apps, the blog post reports, noting that this latest version maintained the malicious overlays, but "simplified them considerably."