BI.ZONE experts recorded a surge in activity of the malware, which long ago disappeared from information security radars. The Faketoken Trojan activates due to COVID-19 and steals money from users of Android devices, disguising itself as an application of a popular trading platform.
Researchers say that the 2020 Faketoken is able to intercept SMS on the device, send messages to the criminals server, and also display phishing windows on top of legitimate applications (for collecting bank card data).A distinctive feature of the latest version of the Trojan was the ability to prevent the removal of malware from the device using anti-virus programs“, – say BI.ZONE researchers.
However, experts note that it is still possible to remove Faketoken – for this you need to put the OS in safe mode.
BI.ZONE experts associate the current activity of the Trojan with the mass transition of employees to remote work due to the coronavirus pandemic. People are sitting at home, the popularity of online trading is growing, and attackers do not miss the chance and take advantage of this.
Currently, the Faketoken botnet includes more than 10,000 infected devices. For spreading the malware, attackers register up to seven new phishing domains daily.
Most infections occur according to the standard scheme. The user places an ad on the trading platform and receives an SMS or message in the messenger with a link to the phishing page. He follows the link and downloads the installation .apk file, which is visibly indistinguishable from the real application of this online platform”, – write the experts.
After starting .apk and granting rights to a malicious application, attackers gain the ability to control an infected device. Further, when the victim enters the target legitimate application (for example, a mobile bank or a taxi service), the Trojan, under an assumed pretext, asks for the input of bankcard data and intercepts SMS codes from the bank. Using this information, criminals steal the user’s money.
Faketoken spreads very quickly – every day the Trojan infects more than 2000 devices. In order not to become a victim of criminals, we recommend that you do not follow links from suspicious sources, install applications only from official stores and do not disable the Google Play Protect protective service. Using antivirus and timely updating of anti-virus databases will also help reduce the risk of infection”, – commented BI.ZONE experts.
Let me remind you that for the first time, the Faketoken Trojan was spotted back in 2012. However, if the first version of the trojan had the only functionality to intercept SMS passwords from online banks, then over the past eight years of evolution its capabilities significantly increased.
So, in 2014, this malware got into the top-20 of most common mobile threats, and then worked in tandem with desktop bankers: the “senior comrade” hacked into the victim’s account and withdrew money, and Faketoken intercepted SMS messages with one-time passwords to confirm these transactions.
By 2016, the Trojan began to steal money on its own: it learned to block other applications with fake windows and force the user to enter usernames, passwords and bank card information into them. In addition to this, he mastered the work of the ransomware: he began to block the screen of the infected device and at the same time encrypt the files on it.
By 2017, Faketoken had studied a whole bunch of applications that can be used as a mask for stealing card data, as mobile banking programs, e-wallets like Google Pay, and even taxi service and fines.
In early 2020, analysts noticed that Faketoken not only steals data on other people’s finances, but also sends SMS messages from infected devices with insults.
Faketoken is not the first “risen from the grave” malware. I recently wrote that Zeus Sphinx operators resumed activities during pandemic.
