It may not seem suspicious to purchase on your smartphone, especially, paying for your Taxi ride. So people do not hesitate to add their credit card information to mobile apps.
However, you may notice that your money disappears from your bank account which could mean that your smartphone can potentially be compromised with a mobile Trojan.
Victor Chebyshev, a researcher at Kaspersky Lab has recently detected the malware stealing bank information by imitating the interfaces of taxi mobile applications.
This Trojan sample, called Faketon, has been active for a long time. However, the most recent version has been upgraded and filled with malicious tricks.
Once the Trojan gets onto a smartphone, it installs the necessary modules. The malware hides its icon from a user, so starts to monitor all actions in the system.
The Trojan starts with victim’s calls and starts recording them. Once the call is done, the Faketoken Trojan transmits the record to its C&C server.
In addition, Faketon also monitors what apps are used. Once the Trojan discovers active apps whose interface it is able to simulate, it covers the display with its own screen.
V. Chebyshev also indicated at Kaspersky:
It should be noted that all of the apps attacked by this malware sample have to support for linking bank cards in order to make payments. However, the terms of some apps make it mandatory to link a bank card in order to use the service. As millions of Android users have these applications installed, the damage caused by Faketoken can be significant.
Targeted apps include a range of mobile banking apps, Android Pay, hotel or flights booking apps, traffic apps and many more.
The threat of the Trojan does not end by stealing credentials, the malware is also capable of intercepting all incoming SMS texts, hide them from the victim, and transmit them to the attackers’ server. Thus, it transfers SMS messages that include payment confirmations to the criminals.
It is possible that this version of the Trojan is only a test version and not the final one due to the small number of attacks. The cybercriminals are most likely to improve the Trojan and spread it more widely.
At the moment, the Trojan targets mostly Russian users, but according to past practices, cybercriminals are likely to adopt each other’s ideas. So it shouldn’t take long to adapt the Trojan and use it to target other countries.