New version of Faketoken Android Trojan hunts for Taxi and Ride-Sharing App Users

Kaspersky Lab researchers have discovered a new modification of the well-known mobile banking Trojan Faketoken, which has been developed and is now able to steal credentials from popular taxi applications.

The mobile app market is growing, and offering more and more services that store confidential financial data, including taxi services and ride-sharing apps that require the user’s bank card information. Being installed on millions of Android devices worldwide has made these apps attractive targets for cybercriminals, who have significantly extended the functionality of mobile banking malware.

The new version of Faketoken performs live tracking of apps and, when the user runs a specified app, overlays this with its phishing window to steal the bank card details of the victim. The Trojan has an identical interface, with the same colour schemes and logos, which creates an instant and completely invisible overlay. Based on the results of Kaspersky Lab’s research, the criminals are targeting the most popular international taxi and ride-sharing services with this malware.

Moreover, the Trojan steals all incoming SMS messages by redirecting them to its command and control servers, allowing criminals to get access to one-time verification passwords sent by a bank, or other messages sent by taxi and ride-sharing services. Among other things, this Faketoken modification can also monitor users’ calls, record them, and transmit the data to the command and control servers.

Overlaying is a common function enabled in many mobile applications. Last year, Kaspersky Lab reported a modification of Faketoken that was attacking more than 2,000 financial apps around the world by disguising itself as various programs and games, often imitating Adobe Flash Player. Since then, Faketoken has been developed further, and has expanded the geography of its activities.

“The fact that cybercriminals have expanded their activities from financial applications to other areas, including taxi and ride-sharing services, means that the developers of these services may want to start paying more attention to the protection of their users. The banking industry is already familiar with fraud schemes and tricks, and its previous response involved the implementation of security technologies in apps that significantly reduced the risk of theft of critical financial data. Perhaps now it is time for other services that are working with financial data to follow suit. The new version of Faketoken targets mostly Russian users. However, the geography of attacks could easily be extended in the future. We have seen that with previous versions of Faketoken and other banking malware in the past,” said Viktor Chebyshev, security expert at Kaspersky Lab.

Researchers have also detected Faketoken attacks on other popular mobile applications, such as travel and hotel booking apps, apps for traffic fine payments, Android Pay and the Google Play Market.

To protect yourself against the Faketoken Trojan and other Android malware threats, Kaspersky Lab strongly recommends that users do not install apps from unknown sources and use a reliable security solution, such as Kaspersky Mobile Antivirus: Web Security & Applock, on their device.

Read more about the new version of Faketoken Android malware on Securelist.com