The new version of Faketoken Malware Targets Uber-Like Apps to Steal Banking Credentials.
Kaspersky Labs has identified malware in apps like Uber and has warned users to beware of a mobile banking Trojan Faketoken. It is an already known threat, but cybercriminals have now modified it to steal credentials from nu-taxis, hotel room booking, flight booking and traffic ticket paying apps.
According to the research team at Kaspersky Lab, due to the growing trend of mobile applications, a large number of different services is being offered to users through smartphones such as taxi services or ride-sharing. These services require provision of confidential financial data and bank card information, which is saved on the app. These apps, which are installed on “millions of Android devices worldwide,” have become attractive targets for cyber criminals. That’s why we are observing “extended” functionality of mobile banking Trojans.
The modified Faketoken banking Trojan can track applications. When the user opens a specific app, the malware alters the interface and runs a fake, phishing window instead so that the bank account details could be stolen. It is worth noting that this Trojan has almost identical interface bearing similar color schemes and logos that create a completely invisible overlay almost instantly.
Kaspersky Lab has noted that the current favorite of cyber criminals is the taxi-like apps and the most popular services in this category are being targeted nowadays such as Uber. The threats are various, such as “the malware and that infected users face SMS message redirection for password intervention and the threat of having all their comms recorded and sent off for bad purposes” to name a few. The malware is designed not just to steal banking credentials but also to spy on SMS messages and monitor phone calls.
It is a known fact that banking industry has always remained the prospective target of fraud schemes and other scams, but the targeting of a taxi or ride-sharing services is relatively new. This hints at the fact that cyber criminals are trying to expand their domain and spread their range to other, unconventional areas apart from strictly financial apps. This calls for enhanced security of the apps by their owners and developers to ensure users’ protection.
A security expert at Kaspersky Lab Viktor Chebyshev states: “Previous response involved the implementation of security technologies in apps that significantly reduced the risk of theft of critical financial data. Perhaps now it is time for other services that are working with financial data to follow suit.”
Faketoken currently is limited to Russian and ex-Soviet countries’ users, but the scope can be broadened in the future quite easily as was evident with the previous versions of Faketoken and similar banking malware. Its previous version was capable of stealing 2FA codes by intercepting text messages, but this new version is distributed through bulk SMS text messages.
Victims are then asked to download some images and when they do that the malware gets installed and hides its icon to covertly change the overlay of banking and other applications installed on the Android device. The malware can perform this trick on all sorts of apps may these be at Android Pay or Google Play Store. When the credentials are stolen, the attacker gets hold of them and can perform identity theft or bank fraud easily.
According to Kaspersky researchers: “To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions. According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries.”
As is the norm, security experts suggest that users of Android smartphones must only install apps from official Google Play Store and ignore third-party app sources. They shouldn’t download any attachments from unknown sources as well.
Source: Kaspersky Labs