Banking Malware is Rapidly Growing on Android

The concept of mobile malware working in bond with computer Trojans to steal money via online banking is not new, however Kaspersky Lab Q1 report indicates that it quickly gaining “market share”.

Financial fraud remains one of the most dangerous kinds of activity that a malware might perform after infecting your computer. So called “banking Trojans” are able to inject themselves between you and your bank, thus manipulating your funds and redirecting your payments to criminals’ bank accounts. To counter this threat, most banks utilize so-called “Two-factor authentication“, which is typically implemented via SMS. When you try to transfer funds online, you must approve the transaction using your password, plus a one-time password (OTP, mTAN) being sent via text message to your smartphone. In turn, criminals developed a scheme in which they try to infect both your computer and smartphone to steal the password and mTAN at the same time. This scheme was first introduced in the Zeus/ZitMo malware duo, and it proved quite effective. Recently, the same concept was implemented in the Android malware called Faketoken. Unfortunately, it is quite effective, too, and a recent report, “IT threat evolution Q1 2014” published by Kaspersky Lab, indicates that Faketoken reached #13 in the Top 20 mobile threats “hit parade”, accounting for 4,5% of all infections.

The mechanics of Faketoken infection is actually quite interesting. Criminals utilize social engineering to infect a smartphone. During an online banking session, the computer-based Trojans use a web inject to seed a request on the infected webpage to download an Android application that is allegedly needed in order to conduct secure transactions, but the link actually leads to Faketoken. After the mobile threat ends up on a user’s smartphone, cybercriminals then use the computer-based Trojans to gain access to the victim’s bank account, and Faketoken allows them to harvest mTANs and transfer the victim’s money to their accounts.


According to reports, most mobile banking threats are designed and initially used in Russia; later, cybercriminals may subsequently use them in other countries. Faketoken is one such program. During the first three months of 2014, Kaspersky Lab detected attacks involving this threat in 55 countries, including: Germany, Sweden, France, Italy, the UK, and the US. To mitigate the risk, users must utilize Multi-Device protection, i.e. using a dedicated security solution both on PC and Android smartphone.

Tips