In recent weeks, security researchers at Kaspersky Lab have identified a new variant of ‘Faketoken‘, an Android banking Trojan. The new variant, known as Faketoken.q, is being circulated via bulk SMS messages that prompt users to download a picture, when in actual fact, they are downloading the malware.

Faketoken.q has the ability to record calls made on the infected device, and also place overlays on top of a large number of legitimate apps.

Phone Calls Are Being Recorded

After being downloaded, the malware installs its payload and starts monitoring everything that happens on the infected Android device. Its shortcut icon is hidden from view, so that it can remain undetected for as long as possible.

Incoming and outgoing phone calls on the infected device are recorded and sent to the attacker’s server. The malware also monitors which apps are being launched on the device, and if it detects that an app it can imitate is opened, it quickly overlays the app with a fake interface, unbeknownst to the user. These fake interfaces can then be used to prompt users for credit card details, which can later be used by the attacker for fraudulent activity.

The Trojan utilises the same Android feature that legitimate apps, such as Facebook Messenger, use to overlay their screen on top of other apps. As well as a number of mobile banking apps, Faketoken.q has the ability to overlay many other apps, such as: Google Play Store, Android Pay, apps for booking taxis and travel booking apps.

Worse still, this Trojan can be used to perform a Man in the Middle attack, to breach two-factor authentication used by most banking apps:

  • The victim enters their banking username and password into the fake banking app interface.
  • The attacker (man in the middle) then captures those details and enters them into the “real” banking app.
  • The victim carries out a transaction on the fake interface, with the attacker entering a matching dollar value onto the legitimate interface, but paying the money into their own account.
  • The SMS verification code will then be triggered and the malware intercepts the incoming SMS message code and forwards it to the attacker’s command-and-control (C&C) server.

Researchers report that the Faketoken.q malware has been designed to claim Russian-speaking victims, as the language used on the fake app interface is Russian.

Protection from Android Banking Trojans

  • Avoid downloading apps from links in emails or SMS messages.
  • DO NOT enter your bank details into applications and websites from unknown sources.
  • Go to Settings > Security > make sure Unknown sources is switched OFF. This setting will block the installation of apps from unknown sources.

Note: By default, Android phones only allow users to install apps from the official Google Play Store.

  • Check which permissions apps are asking for BEFORE you download them. If permissions seem overly intrusive or unnecessary, don’t download the app.
  • Regularly update your operating system software and installed apps, to stay on top of any vulnerabilities authors may discover and fix.
  • Experts at Fraudwatch International recommend installing an antivirus app, from a reputable company, which will detect and block malware before it has a chance to infect your device.