FakeToken Android Banking Trojan Returns as a Ride-sharing App

Planning your next ride from your favorite ride-sharing app? If it asks for your credit card data more than once, malware might be at play. 

Security researchers found an iteration of the Android banking Trojan FakeToken (detected by Trend Micro as ANDROIDOS_FAKETOKEN) posing as a ride-hailing application. This version of FakeToken was also seen masquerading as payment apps for traffic tickets as well as hotel and flight booking. 

FakeToken’s ruse is notable given the worldwide popularity of ride-sharing, taxi, carpooling, and transportation apps like Uber, Lyft, Sidecar, Easy, and Grab, and it poses significant risks to users. For instance, the number of installs for the Uber app on the Google Play Store alone ranges between 100 and 500 million. 

[READ: How can ride-sharing apps like Uber compromise your privacy?] 

But more than the ubiquitous usage of ride-sharing apps is the kind of information stored and used on these applications: financial and personally identifiable information. The latest version of FakeToken steals these by monitoring the apps installed on the device in real time. When the user runs a certain application, i.e. a ride-sharing app, it is overlaid with a phishing page that then prompts the would-be victim to input his payment card details. The fake phishing page features an identical user interface, including the logos and color schemes. 

This version of FakeToken can also intercept incoming SMS messages and forward stolen data to the cybercriminals’ command and control (C&C) severs. This snooping routine enables them to bypass two-factor authentication and similar verification processes employed by banks or mobile services. More daunting, however, is FakeToken’s capability to monitor and record phone calls, which will be saved and uploaded to the bad guys’ C&C servers. 

[From TrendLabs Security Intelligence Blog: How GhostCtrl Android backdoor can silently record your audio, video, and more] 

FakeToken first emerged in 2013 as a bank information-stealing mobile malware. It also dabbled as a mobile ransomware. It did so by misusing Android’s device administration application program interface (API), commonly used by enterprise apps, to change the device’s passcode and lock its screen. In 2016, FakeToken had the most variants distributed by cybercriminals. During the same year, mobile banking Trojans were the most pervasive in Russia, rounded out by Australia, Japan, Romania, Germany, Ukraine, and Taiwan. 

While the latest version of FakeToken is currently distributed around Russia and countries in the Commonwealth of Independent States—it won’t take long before it hitchhikes its way across the world. Don’t overshare information and limit the permissions you grant to your apps. Also, be wary of unsolicited text messages, especially if they have suspicious links. Adopt best practices to securing your mobile device, and especially so if they are under a Bring Your Own Device (BYOD) environment.

Trend Micro Solutions

End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (available on Google Play).  Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. 


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Mobile Safety, Android