Many mobile malware developers will take great pains to hide infections through hidden app icons, obfuscation, disguises, and more, but in some cases, a sample will pop up which appears to do exactly the opposite.
Trojans are generally created for the purposes of covert surveillance, persistence maintained through backdoors, and the theft of information including online account credentials in a bid to steal funds, cryptocurrency, or to generate revenue through subscriptions to premium mobile services without a victim's consent.
When this variant of malware lands on a traditional PC, families including DanaBot, PyXie, RevengeRAT, and Dacls will often leverage software exploits to burrow into a system. In the mobile world, Trojans may be installed through malicious applications, bundled into otherwise legitimate-looking software, or through drive-by downloads in the form of APKs.
Faketoken, for example, is an Android banking Trojan. The malware has been around for years and back in 2014 made a Top 20 list of the most dangerous banking Trojans in existence.
Back then, Faketoken was found in tandem with other desktop Trojans. While other forms of malware would compromise PCs to steal credentials and attempt to withdraw funds, Faketoken was used as a form of 'bolt-on' to intercept any one-time passwords sent to confirm the fraudulent transactions.
Two years on, and the malware's developers have taken pains to improve its capabilities. Kaspersky researchers say that Faketoken can now be considered "full-fledged" as by this point the malware was able to steal money directly -- no longer relying on other Trojans to provide this functionality -- and it used phishing login screens and overlaid windows to dupe mobile victims into handing over their online account credentials or bank account data.
In addition, the malware was improved with ransomware functionality. If Faketoken landed on a vulnerable Android device, it was able to lock device screens, encrypt files, and demand payment.
"By 2017, Faketoken could mimic a lot of apps -- mobile banking apps, e-wallets such as Google Pay, and even taxi service apps and apps for payment of fines and penalties -- to steal bank account data," the researchers say.
Fast forward to the present day and Faketoken has new functionality which Kaspersky deems an "unexpected turn."
Until now, the Trojan appeared to be a serious banking threat focused on data theft and ransoms. However, recent scans undertaken by the cybersecurity firm have found that over 5,000 devices infected with Faketoken are sending out offensive text messages en masse.
It is bizarre activity and not something usually associated with malware containing the functionality and capabilities of strains such as Faketoken.
However, clues in the recipients may indicate why. SMS functionality is part-and-parcel for mobile Trojans as the malware needs to be able to access 2FA and confirmation codes, and when these SMS messages are sent, they are charged at the victim's expense -- and are expensive as the texts are sent to others abroad, potentially providing a fresh revenue stream for the malware operators.
"Before sending anything out, it confirms that the victims' bank account has sufficient funds," the researchers say. "If the account has the cash, then the malware uses the card to top up the mobile account before proceeding with messaging. Many of the smartphones infected by Faketoken were texting a foreign number, so the messages the Trojan sent cost the users quite a bit."
Techniques and methods to dupe, scam, and steal from victims are constantly evolving -- and in Faketoken's case, the team is not sure if the offensive messages were a trial, test, or indication of a coming trend.
Previous and related coverage
- When one isn't enough: This shady malware will infect your PC with dual Trojans
- Lazarus pivots to Linux attacks through Dacls Trojan
- Asruex Trojan exploits old Office, Adobe bugs to backdoor your system
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0