Faketoken is Back: How to Stay Safe from the Trojan Targeting Android Devices

In February 2020, BI.ZONE detected a surge in the Faketoken trojan activity. Trojan-Banker.AndroidOS.Faketoken disguises itself as an application for a popular online classifieds platform, with over 2,000 victims infected daily. BI.ZONE experts explain what you should know about the trojan and how to protect yourself from it.

What Is Faketoken?

In February 2020, criminals launched a large-scale Faketoken malware distribution campaign targeted at customers of a popular classifieds platform in Russia. Detected first in 2012, the trojan is not unknown to the cybersecurity community. Back then, its capabilities were limited to intercepting SMS passwords from online banks. Over 8 years of evolution, the malware has acquired more features.

The Faketoken of 2020 is able to capture SMS and transfer them to the criminals’ server and display phishing windows over legitimate applications in order to collect bank card details. Targeted applications include those of banks and mobile operators, online classifieds platforms, ticket booking portals, taxi services and many others.

The latest version of Faketoken comes with a new capability: the trojan prevents any attempts by antivirus programs to remove it.

BI.ZONE experts attribute this recent spike in trojan activity in Russia to the massive transition to remote work. Criminals are taking advantage of the upswing in online trading during the lockdown.

As at mid-April, the Faketoken botnet exceeded 10,000 devices. To spread this malware, the criminals registered up to 7 new phishing domains daily.

I have an Android device! Am I at risk?

Yes. This is the most common method that hackers use to spread the malware:

1. A user posts an advertisement on a popular online classifieds platform.

2. They receive an SMS or a notification to a messenger with a link to a phishing page. The message and phishing page suggest that the user has received a payment for the item they sell, and contain information from the original advertisement: the victim’s username and the item’s details, including its price and photograph. The financial enticement prompts the user to throw caution to the wind.

Criminals address the victim by name to lull them into a false sense of security

3. The user clicks the link and downloads an APK setup file, whose name and icon look exactly like the application of this classifieds website.

Criminals give detailed instructions to the user on how to install the malware

4. After the victim starts the application, the malware displays a fake error notification.

The application prompts the user to grant it permissions to use the Android Accessibility Service

5. With this done, the trojan assumes administrator rights, closes all the open windows and removes the application icon from the list of installed software. The infected device looks exactly the same as before the malware was installed — as if nothing had happened.

However, the malware has already sneaked into the system and is waiting for an opportunity to steal the victim’s money. Faketoken tracks user-device interaction and as soon as the user logs in to the desired application (the malware has a target list) the trojan requests to enter bank card details under a false pretext.

A booking portal, a taxi service and a well-known bank — the trojan is specifically set to target particular applications

Many users are accustomed to a common verification procedure when a certain amount is charged to the card and refunded once the card is confirmed. Therefore, a seemingly legitimate request by the bank to provide card details for additional verification might not raise any alarm with the device owner. The trojan collects the card details entered by the user and intercepts SMS passwords from the bank. This is how the criminals obtain all the information they need to steal money from the victim’s account. In addition to losing capital, cardholders run the risk of having their overdrafts and credit cards maxed out, ultimately ending up in debt. In the worst-case scenario, the attacker gets access to the victim’s other bank accounts.

What if I downloaded the trojan? Are they going to steal all my money?

No, you can still save your funds by deleting the malware. However, Faketoken is not a simple trojan, it actively struggles with your antivirus software and cannot be deleted like a normal app.

The antivirus cannot combat the trojan — Faketoken imitates the user’s actions and closes the program window

To get past this feature, you need to turn on the safe mode on your Android device. This will allow you to remove the malware unobstructed. The steps can vary depending on the type of device — for example, some Samsung smartphones require that you restart your phone then press and hold the volume down key, until your phone is turned on. You can visit the manufacturer’s website to find out how to start your device in safe mode.

Less than one minute to remove the trojan in safe mode

Are there any precautions against the trojan?

Certainly! If you follow these simple rules, there is almost a zero chance that you will have your device compromised and money stolen:

1. Do not click on any suspicious links or download files from unknown sources.
2. Download applications from official stores only, such as Google Play.
3. Keep Google Play Protect enabled.
4. Use antivirus that runs frequent updates of its virus signature database.
5. Avoid using your primary phone number to advertise on online platforms. Make sure you have a dedicated SIM card for this purpose.
6. Have a separate bank card for online purchases, with a minimum credit limit and a low account balance. Even if your card details are compromised, this will minimise your losses.

Mobile devices running the Android OS are the most popular both in Russia and worldwide. Stay vigilant and share with the people around you the knowledge on how to protect their devices and stop the outbreak of another epidemic — the Faketoken.