{"id":18380,"date":"2020-01-13T06:13:00","date_gmt":"2020-01-13T11:13:00","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/faketoken-trojan-sends-offensive-sms\/18380\/"},"modified":"2021-10-04T22:17:10","modified_gmt":"2021-10-04T16:47:10","slug":"faketoken-trojan-sends-offensive-sms","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/faketoken-trojan-sends-offensive-sms\/18380\/","title":{"rendered":"The Faketoken Trojan sends out offensive texts"},"content":{"rendered":"

The inventiveness of virus makers knows no bounds. Some ransomware apps now have mining capabilities<\/a>, and some banking trojans extort their victims<\/a>. Faketoken may have a goofy name, but this banking Trojan for Android devices is serious business.<\/p>\n

Faketoken: From SMS thief to full-fledged banker<\/h2>\n

The banking Trojan Faketoken has been around for quite a while \u2014 back in 2014, it made our top 20 list of the most widespread mobile threats<\/a>. Back then, the malware operated in concert with desktop banking Trojans<\/a>. The desktop app hacked victims\u2019 accounts and withdrew money, and Faketoken intercepted text messages with one-time passwords to confirm the transactions.<\/p>\n

By 2016, Faketoken had become a full-fledged mobile banking Trojan, stealing money directly<\/a>. It overlaid other apps with fake windows to trick users into entering their logins, passwords, and bank card info. It also functioned effectively as ransomware, blocking the infected devices\u2019 screens and encrypting their files.<\/p>\n

By 2017, Faketoken could mimic a lot of apps \u2014 mobile banking apps, e-wallets such as Google Pay, and even taxi service apps<\/a> and apps for payment of fines and penalties \u2014 to steal bank account data.<\/p>\n\n

An unexpected turn for Faketoken<\/h2>\n

Not long ago, our botnet activity monitoring system \u2014 Botnet Attack Tracking \u2014 detected that some 5,000 smartphones infected by Faketoken had started sending offensive text messages. That seemed weird.<\/p>\n

SMS capability is in fact standard equipment for mobile malware apps, many of which spread through download links they send to victims\u2019 contacts. In addition, banking Trojans often ask to become the default SMS application so they can intercept confirmation code messages. But for banking malware to turn into a mass texting tool? We had never seen that before.<\/p>\n

SMS abroad \u2014 at your expense<\/h2>\n

Faketoken\u2019s messaging activities are charged to the infected device owners. Before sending anything out, it confirms that the victims bank account has sufficient funds. If the account has the cash, then the malware uses the card to top up the mobile account before proceeding with messaging.<\/p>\n

Many of the smartphones infected by Faketoken were texting a foreign number, so the messages the Trojan sent cost the users quite a bit.<\/p>\n\n

Protecting yourself from Faketoken<\/h2>\n

We don\u2019t yet know whether this Faketoken offensive is a one-off campaign or the beginning of a trend. For now, however, to avoid getting ensnared:<\/p>\n