Labs - Malware Analysis

Faketoken: full analysis of this dangerous banking Trojan

Written by buguroo | Feb 17, 2020 1:56:27 PM

In recent weeks there have been several samples detected of 'Faketoken', a banking Trojan for Android first detected in 2014. These samples would be using infected devices to send spam or phishing SMS messages for propagation. Due to this message sending activity, often to foreign numbers, users infected with Faketoken trojan suffer from an increase in their telephone bills.

The first versions of this 'banker' worked alongside a desktop banking Trojan that stole logon credentials and then used the Android Trojan to steal SMS authentication messages with single-use codes that authorize transactions or access to the account.

The trojan’s latest versions detected in December and early January only affect Russian banking entities and use the logo and name of the Russian classified ads platform 'Avito' in the Android market to get users to install the application as if it were a legitimate app.


One of the samples detected in January

This behavior suggests that the infection may be carried out through fraudulent websites that deceive users into believing that they need to update the Avito app or install it to gain access to certain content.

 

How does Faketoken trojan function?

This 'banker' for Android follows the usual scheme of this type of malware: it declares an accessibility service that receives the events generated by the user during the use of the rest of the apps. When events related to the affected applications are obtained, it shows code injections to steal banking credentials or credit card information.

As with other malware families, such as Anubis Bankbot or Cerberus, in this case the Trojan does not focus solely on the theft of banking credentials. It also includes support for stealing credit card data when the user launches an application that is unrelated to any banking entity. 

It particularly focuses on social networking applications such as WhatsApp, Telegram or the Russian Vkontakte. Other applications that are also infected by this banking trojan include transportation applications, especially taxis, such as the Yandex Taxis app or Uber, as well as booking applications, such as Trivago or Tripadvisor.

 


A small part of the list of affected apps

 

'Overlay' shown when one of the affected apps is opened

As we can see in the above image, this malware uses 'overlays ' to steal banking credentials and credit card data. The difference with most banking malware lies in the use of native views instead of using WebViews. This way, the 'banker' avoids loading a phishing website to steal the data, which allows the 'overlays' to seem more realistic, since sometimes if it is a Web there are noticeable differences with the original forms.

However, the use of native views and not WebViews limits the ability to add new entities. A different view must be created for each entity, whereas designing and developing a phishing website to display it in a WebView is simpler and faster. This detail may be the reason why this Trojan, since its launch, has only affected Russian entities. Apparently, its authors are interested in the Russian market, so using WebViews to speed up development and increase entity support is not an important aspect for them.

 

Are antivirus applications effective against Faketoken?

A curious feature is that some of the analyzed samples of this banking malware family, include code to check the applications installed on the device every five minutes. If it finds antivirus applications, it will execute an 'Intent' to try to uninstall the app. This way, it tries to prevent antivirus applications from detecting it and alerting the user.

 


Code responsible for executing the 'Intent' to delete the application indicated as a parameter

This functionality is not very common in this type of Trojan, especially if it is specifically to remove antiviruses. Other malware families, usually not 'bankers', do include this functionality, but to allow the attacker with remote access to install and uninstall applications at will, not to delete antimalware software specifically.

 


List of antivirus applications it tries to delete

 

How does Faketoken banking trojan send stolen data?

Another curious detail of its functioning has to do with sending stolen data to the control server. In the case of this family, the malware does not send the stolen credentials right away when the user enters them. Instead, it stores them in an SQLite database to send them to the control server later.

 


The stolen data is stored in SQLite databases for later sending

 

Conclusions of our analysis

After the analysis, we cannot say that this family of banking trojan incorporates major new features compared to other existing families. Only small details stand out, such as the presence of a functionality to delete antivirus applications.

In the banking theft area, in particular, the use of 'overlays' is the same as that of virtually all banking malware families. As a peculiarity, this 'banker' does not use WebViews, so the 'overlay' does not show a phishing website. Instead, it shows a native Android activity with the form.

Although the fact that it has only affected Russian entities and that it does not use 'overlays' based on WebViews suggests that it is unlikely that these fraudsters will extend their entity support to entities outside Russia, we can never be sure. Therefore, we will have to remain alert to changes in Faketoken trojan that could attack new geographies

.