跳到主体内容

Faketoken Mobile Banking Trojan Adds Data Encryption and Targets Over 2,000 Apps

2016年12月19日

Kaspersky Lab experts have discovered a modification of the mobile banking Trojan, Faketoken that can encrypt user data. Disguised as various programs and games, including Adobe Flash Player, the modified Trojan can also steal credentials from more than 2,000 Android financial applications

Kaspersky Lab experts have discovered a modification of themobile banking Trojan,Faketokenthatcan encrypt user data.Disguised asvarious programs and games, includingAdobe Flash Player, the modified Trojan can also steal credentials from more than 2,000 Android financial applications. To date, the modified Faketoken has claimed over 16,000 victims in 27 countries, with mostlocated in Russia, Ukraine, Germany and Thailand.

The newly added data-encryption capability is unusual in that most mobile ransomware focuses on blocking the device rather than the data, which is generally backed-up to the cloud. In Faketoken’s case, the data - including documents and media files such as pictures and videos - is encrypted using an AES symmetric encryption algorithm that can, in some cases, be decrypted by the user without paying a ransom.

During the initial infection process, the Trojan demands administrator rights, permission to overlay other apps or to be a default SMS application – often leaving users with little or no choice but to comply. Among other things, these rights enable Faketoken to steal data: both directly, like contacts and files, and indirectly, through phishing pages.

The Trojan is designed for data theft on an international scale: once all the necessary rights are in place, it downloads a database from its command and control server containing phrases in 77 languages for different device localizations.  These are used to create phishing messages to seize passwords from users’ Gmail accounts. The Trojan can also overlay the Google Play Store, presenting a phishing page to steal credit card details. In fact, the Trojan can download a long list of applications for attack and even an HTML template page to generate phishing pages for the relevant apps. Kaspersky Lab researchers uncovered a list of 2,249 financial applications.

Intriguingly, the modified Faketoken also tries to replace with its own versions application shortcuts for social media networks, instant messengers and browsers. The reason for this is unclear as the substitute icons lead to the same legitimate applications.

“The latest modification of the Faketoken mobile banking Trojan is interesting in that some of the new features appearto provide limited additional benefit for the attackers.  That doesn’t mean we shouldn’t take them seriously.  They may represent the groundwork for future developments, or reveal the ongoing innovation of an ever-evolving and successful malware family. In exposing the threat, we can neutralize it, and help to keep people, their devices and their data safe,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.

Kaspersky Lab advises Android users to take the following steps to protect themselves against the Faketoken Trojan and other malware threats:

  • Ensure all data is backed-up.
  • Don’t automatically agree to hand over rights and permissions when an app asks you to do so – think about what is being asked for, and why you are being asked for it.
  • Install an antimalware solution on all devices and keep OS software up-to-date.

Kaspersky Lab has detected several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016.  Kaspersky Lab products detect all modifications of the Faketoken malware family.

To learn more about the latest modification of Faketoken, read the blogpost on Securelist.

Faketoken Mobile Banking Trojan Adds Data Encryption and Targets Over 2,000 Apps

Kaspersky Lab experts have discovered a modification of the mobile banking Trojan, Faketoken that can encrypt user data. Disguised as various programs and games, including Adobe Flash Player, the modified Trojan can also steal credentials from more than 2,000 Android financial applications
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻