An Android banking Trojan dubbed Faketoken has recently been observed by security researchers while draining its victims’ accounts to fuel offensive mass text campaigns targeting mobile devices from all over the world.
Faketoken is an Android malware strain first introduced in an F-Secure report from 2012 as a Mobile Transaction Authentication Number (mTAN) interceptor camouflaged as a mobile token generator, a Trojan that later added ransomware capabilities in December 2016.
Besides using fake logins and phishing overlay screens to steal credentials and exfiltrating mTAN numbers used by banks to validate online transactions, the malware can also generate customized phishing pages targeting over 2,200 financial apps, and can steal device information such as the IMEI and IMSI numbers, the phone number, and more.
Banking malware turned offensive mass texting tool
“Not long ago, our botnet activity monitoring system — Botnet Attack Tracking — detected that some 5,000 smartphones infected by Faketoken had started sending offensive text messages,” says Alexander Eremin, malware analyst at Kaspersky Lab. “That seemed weird.”
While the vast majority of mobile malware comes with SMS capability out of the box and it uses it for various purposes including intercepting text messages and spreading to other devices, banking malware using it to send mass texts is quite unusual.
Once it manages to infect a target’s device, Faketoken will check if their bank accounts have enough money and it will use the stolen payment cards to add credit to the victim’s mobile account.
After making sure that the funds are ready to be exhausted, Faketoken will proceed to send offensive text messages to local and international phone numbers to infect devices from all over the world on your dime.
“Faketoken’s messaging activities are charged to the infected device owners,” Eremin adds. “Before sending anything out, it confirms that the victim’s bank account has sufficient funds.