Computer security researchers have discovered a new Android malware known as Faketoken which exhibits ransomware capabilities.
The FakeToken Android Malware Exhibits Ransomware Capabilities
Security researchers from Kaspersky Labs have identified a new Android malware known as Faketoken which has some pretty damaging features.
According to the conducted analysis the virus has a built-in encryption module which can lock user files and data as well as steal sensitive information. This is a combination of two very distinct and dangerous threats – ransomware and banking Trojans. The hybrid virus has been labeled as a “ransomware banker”. The experts have compared it to the Svpeng banking Trojan which has been used in numerous attacks.
The virus’s main goals is to steal the victim’s credit card information by using phishing pages via dangerous screen overlays. At the current rate the confirmed victims exceed 16 000 users located in 27 countries, some of them include Russian, Ukraine, Thailand and Germany.
The virus can interact with the security mechanisms of the Android operating system. Upon installation the virus begins to repeatedly ask the user for expanded permissions to the system. If the user doesn’t grant them the application will make distracting requests until this is done. The final stage of the malware is to institute Faketoken as the default SMS application. This is used to covertly harvest the text messages.
Faketoken uses the AES symmetric cipher to encrypt the target user data. The Trojan receives the encryption key and the infection vector from the remote C&C servers. The target user data which includes documents and media files (pictures, videos and music) are renamed using the .cat extension.
The criminal developers can manipulate application shortcuts and use other related techniques to cause further social engineering and system modification attacks. The Faketoken malware is proficient at harvesting user data. It uses a database file which is downloaded from the remote C&C server containing predefined phrases in 77 languages for various device localizations. Using them as a base the Trojan shows various phishing messages.
Faketoken Aims For The Google Account
The virus targets both Gmail (and its associated Google account) and the Google Play application as well. This is made to acquire the payment card details which are used by the service. The Trojan can also use a downloadable list of various application templates which are used to generate phishing pages displays as an overlay. According to the security analysis the malware samples receive a list of 2249 mobile applications.
In addition the Trojan can also use its privileges to perform system modifications – system resets, file modification and others. The full capability list includes the following actions that Faketoken can perform:
- Change masks to intercept incoming messages
- Send text messages to a specified number with a specified text
- Send text messages with a specified text to a specified list of recipients
- Send a specified text message to all contacts
- Upload all text messages from the device to the malicious server
- Upload all the contacts from the device to the malicious server
- Upload the list of installed applications to the malicious server
- Reset the device to factory settings
- Make a call to a specified number
- Download a file to the device following a specified link
- Remove specified applications
- Create a notification on the phone to open a specified page or run a specified application
- Start overlaying specified applications with a specified phishing window
- Open a specified link in its own window
- Run an application
- Block the device in order to extort money for unblocking it. This command may include an option indicating the need to encrypt files
For more information you can read the full analysis on Kaspersky’s site.