A hacked/modified version of mobile banking app dubbed Faketoken can encrypt user data to extort money from the user.
A lot of people have been victimized by this app modification.It has reached 27 countries due to the fact that it targets more than 2,000 Android financial apps.
It has been distributed disguised of various games and programs and most of the time poses as Adobe Flash Player.
The trojan is capable of interacting with the operating system protection mechanisms. One trick is to request rights to overlay other apps or the right to be a default SMS application.
So how does this affect the user? Basically, this would allow Faketoken to steal user data even if you are using the latest version of Android.
Their main objective is to first become active on your phone. It requests administrator rights and even if you deny access to the request, it will repeatedly refresh the window asking for the rights. Being annoyed or having practically no choice will prompt you as the user to click the button to allow or agree.
From there, Faketoken starts requesting permissions including access to the user’s text messages, files, and contacts, as well as the ability to send text messages and make calls. Once again, those requests are repeatedly displayed until the user finally agrees to provide access.
We mentioned overlaying earlier. This means they have the ability to display windows on top of other applications.
This would block the view of the original app make you think it is a legit page but it is really a phishing page.
Last but not the least, it also request for the rights to be the default SMS application. This would result in stealing text messages on any android version.
Sounds like a lot of preparation to gain full access right? Once everything has been activated and installed it starts stealing data and whatever information they want. To make it look more authentic, it downloads a database containing 77 languages to personalize and localize what you see on your mobile phone.
Using a phrase from the database, depending on the language of the user, the trojan will display various phishing messages. If a message is clicked, the trojan opens a phishing page aimed at stealing passwords from Gmail accounts. It also overlays the original Gmail app with one appearing to have the same purpose.
But it’s not just passwords that are targeted by the trojan. It also overlays the Google Play app with a phishing window aimed at stealing debit and credit card details.
“The trojan can also get the list of applications for attack and an HTML template page to generate phishing pages for the attacked applications from the C&C server. In our case, Faketoken received a list of 2,249 financial applications from around the world,”
Here is a major twist, this trojan is capable of blocking the device in order to extort money before it can be unblocked. Pretty much similar to the ransomware that runs on computers.
Once a relevant command is received, the trojan creates a list of files located on the device – including the external memory and memory card and encrypts them. The trojan receives the encryption key and initialization vector from the command and control (C&C) server.
“The AES symmetric encryption algorithm is used, which leaves the user with a chance of decrypting files without paying a ransom,”