Android users, beware! A new ransomware app is infecting Android devices with a banking trojan called Faketoken, which is considered extremely harmful. In this article, we will discuss everything you need to know about Faketoken, how it came to existence and evolved over the last few years.
Researchers detected that some 5,000 smartphones infected by Faketoken had started sending offensive SMS messages.
"SMS capability is in fact standard equipment for mobile malware apps, many of which spread through download links they send to victims’ contacts. In addition, banking Trojans often ask to become the default SMS application so they can intercept confirmation code messages. But for banking malware to turn into a mass texting tool? We had never seen that before," Kaspersky said in its blog post.
Faketoken-induced messages are charged to the infected device owners. Before sending anything out, it confirms that the victims' bank account has sufficient funds. If the account has the cash, then the malware app uses the card to recharge the mobile account before proceeding with messaging.
As we mentioned, Faketoken is a banking trojan and it's been around for quite some time now. Researchers at Kaspersky have detailed the timeline of how Faketoken evolved in recent years.
-- In 2014, Faketoken made it to Kaspersky's list of the most widespread mobile threats.
-- By 2016, Faketoken -- a full-fledged mobile banking trojan -- was stealing money directly.
-- By 2017, Faketoken was mimicking other mobile banking apps, e-wallets, taxi service apps, etc. to steal bank account data.
In its initial days of mobile Trojans, malware coordinated with desktop banking trojans to a significant extent. While the desktop app hacked into victims’ accounts to steal money, Faketoken intercepted text messages with one-time passwords (OTPs) to confirm and authenticate the transactions.
Eventually, Faketoken became more independent and overlaid other apps with fake windows to trick users into entering their login credentials and bank card information. It also functioned effectively as ransomware, blocked the Trojan-infected devices' screens and encrypting their files.