Kaspersky Lab announced that the mobile banking Trojan known as Faketoken has now modified to include a data encryption capability. The Trojan is estimated to be attacking more than 2,000 financial applications across the globe.
“We have managed to detect several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016. According to our information, the number of this banker’s victims exceeds 16,000 users in 27 countries, with most located in Russia, Ukraine, Germany and Thailand,” Roman Unuchek, a mobile threats expert at Kaspersky Lab, said in a blog post.
“Trojan-Banker.AndroidOS.Faketoken is distributed under the guise of various programs and games, often imitating Adobe Flash Player,” he continued.
Even if the latest version of the Android operating system is installed on the device, the modified Trojan is still capable of stealing user data because it can interact directly with the protection mechanisms within the OS.
According to Kaspersky Lab, the newly added data-encryption capability is quite unusual because it uses an encryption algorithm that can, in some cases, potentially be decrypted by the user without paying a ransom. This because the majority of mobile ransomware focuses on blocking the device rather than the data.
“Once the Trojan becomes active, it requests administrator rights. If the user denies the request, Faketoken repeatedly refreshes the window asking for these rights, which leaves the victim with little choice,” Unuchek said.
“Once it has received administrator rights, Faketoken starts requesting the necessary permissions: to access the user’s text messages, files and contacts, to send text messages and make calls. These requests will also be repeatedly displayed until the user agrees to provide access.”