What is Faketoken? Malicious Android banking Trojan targets popular taxi and ride-hailing apps

Security experts have discovered a new version of the malicious Android banking Trojan called Faketoken, which is now targeting users of popular apps for booking taxis and paying traffic tickets. Kaspersky Lab researchers say the malware, which has been known for over a year now, has been upgraded to include some more nefarious mechanisms to steal users' payment card data from taxi and ride-hailing apps.

"The authors of its newer modifications continue to upgrade the malware, while its geographical spread is growing," malware researcher Victor Chebyshev wrote in a blog post on Thursday (17 August). Last year, Kaspersky reported that a modification of Faketoken was attacking over 2000 financial apps across the globe.

"Not so long ago, thanks to our colleagues from a large Russian bank, we detected a new Trojan sample, Faketoken.q, which contained a number of curious features."

The latest version of the trojan targets apps used to book taxi services in Russia along with mobile apps used to pay traffic tickets issued by the country's Main Directorate for Road Traffic Safety.

Researchers have said that they haven't been able to reconstruct the exact chain of steps used by the malware's creators to target and attack users yet. However, they suspect that the malware makes its way into users' smartphones via bulk SMS messages that include a prompt to download pictures.

After the Trojan is initiated, it hides in an unsuspecting shortcut icon on a user's smartphone and begins to monitor all calls and apps launched by the victim.

"Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it to evildoers shortly after the conversation ends," Kaspersky Lab said. "The authors of Faketoken.q kept the overlay features and simplified them considerably. So, the Trojan is capable of overlaying several banking and miscellaneous applications, such as Android Pay, Google Play Store, and apps for paying traffic tickets and booking flights, hotel rooms, and taxis."

After the victim launches a particular app, it substitutes its user interface with a fake one that asks the person to plug in his or her bank details.

"The substitution happens instantaneously, and the colors of the fake UI correspond to those of the original launched app," researchers warned. "As millions of Android users have these applications installed, the damage caused by Faketoken can be significant."

While many banks often send over a unique code to a customer in order to process a payment, the fraudsters behind Faketoken can circumvent this safety feature by stealing any incoming SMS messages and relaying them over to the command-and-control servers.

According to researchers, the latest version of Faketoken does seem to be unfinished since its screen overlays still contain "formatting artifacts" that can pose as red flags for a user.

"As screen overlays are a documented feature widely used in a large number of apps (window managers, messengers, etc.), protecting yourself against such fake overlays is quite complicated, a fact that is exploited by evildoers," researchers said.

So far, Kaspersky has not detected a large number of attacks using the Faketoken sample, nothing that it could be one of its test versions. Given the list of targeted applications so far, the Russian language in the malware's code and Russian UI of the overlays, the trojan is currently focusing on users in Russia and CIS countries.

"The fact that cybercriminals have expanded their activities from financial applications to other areas, including taxi and ride-sharing services, means that the developers of these services may want to start paying more attention to the protection of their users," Chebyshev told IBTimes UK. "The banking industry is already familiar with fraud schemes and tricks... Perhaps now it is time for other services that are working with financial data to follow suit."