The data encryption capability is unlike that of most mobile ransomware in that it blocks the data rather than the device
Kaspersky Lab has discovered a modification of the mobile banking trojan Faketoken which can encrypt user data, disguise itself as various programmes and games and steal credentials from more than 2,000 financial Android apps.
The modified trojan has so far claimed over 16,000 victims in 27 countries, with the most located in Russia, Ukraine, Germany and Thailand.
The data encryption capability is unlike that of most mobile ransomware variations in that it blocks the data itself rather than the device. The data – including documents and media files such as pictures and videos – is encrypted using an AES symmetric encryption algorithm that can sometimes be decrypted by the user without having to pay a ransom.
During the initial infection process, the Trojan demands administrator rights, permission to overlay other apps or to be a default SMS application, often leaving users with little or no choice but to comply. These rights enable Faketoken to steal data, both directly like contacts and files, as well as indirectly through the likes of phishing pages.
Once all the necessary rights are in place, it downloads a database from its command and control server containing phrases in 77 languages for different device localisations. These are used to create phishing messages to seize passwords from users’ Gmail accounts. The Trojan can also overlay the Google Play Store, presenting a phishing page to steal credit card details.
“The latest modification of the Faketoken mobile banking Trojan is interesting in that some of the new features appear to provide limited additional benefit for the attackers,” said Roman Unuchek, senior malware analyst at Kaspersky Lab.
“That doesn’t mean we shouldn’t take them seriously. They may represent the groundwork for future developments, or reveal the ongoing innovation of an ever-evolving and successful malware family. In exposing the threat, we can neutralise it, and help to keep people, their devices and their data safe.”
To protect against the Faketoken trojan, Kaspersky Lab recommends carrying out regular data backups and making sure up-to-date antimalware solutions are installed on all devices.
The number of trojan threats in circulation has grown significantly in 2016, with banking being a popular target through the likes of Dridex which was discovered by IBM X-Force at the beginning of the year and a trojan dubbed Odinaff which defrauds financial institutions by gaining control over their systems and networks.