Bad news, fandroids: Mobile banking malware now encrypts files

Cybercrooks have outfitted ransomware functionality onto an already dangerous mobile banking Trojan.

The modified Faketoken can steal credentials from more than 2,000 Android financial applications, security researchers at Kaspersky Lab warn. Based on telemetry, Kaspersky Lab estimates that Faketoken has claimed over 16,000 victims in 27 countries. Users in Russia, Ukraine, Germany and Thailand have been the most heavily affected. Variants of the malware first surfaced back in July.

Stealing financially related data on an industrial scale remains Faketoken’s main scam. The ransomware element of the Android nasty is problematic for victims but not as potent as its developers might have hoped, as Kaspersky Lab researchers explain.

“The newly added data-encryption capability is unusual in that most mobile ransomware focuses on blocking the device rather than the data, which is generally backed-up to the cloud,” Kaspersky Lab researchers explain. “In Faketoken’s case, the data – including documents and media files such as pictures and videos – is encrypted using an AES symmetric encryption algorithm that can, in some cases, be decrypted by the user without paying a ransom.”

Faketoken poses as various programs and games, including Adobe Flash Player. During the initial infection process, the Trojan demands administrator rights, permission to overlay other apps or to be a default SMS application – often leaving users with little or no choice but to comply. Among other things, these rights enable Faketoken to steal data (such as contacts and files either directly or indirectly, through phishing pages).

For example, the Trojan can overlay the Google Play Store, presenting a phishing page in attempts to trick marks into handing over their credit card details. Another phishing template impersonates Gmail’s login page.

The revised Faketoken also tries to replace application shortcuts for social media networks, instant messengers and browsers with its own versions. The reason for this is unclear as the substitute icons lead to the same legitimate applications. It’s probable that malicious coders have done this in order to lay the groundwork for future developments.

The malware serves to underline why you should not blindly hand over permissions to mobile apps as well as the importance of backing up data.

More details about the threat evolution of Faketoken can be found in a post on Kaspersky Lab’s Securelist blog here. ®