The Faketoken Trojan sends out offensive texts

The ransomware app now uses infected devices to send SMS messages abroad on the victim’s dime.

The inventiveness of virus makers knows no bounds. Some ransomware apps now have mining capabilities, and some banking trojans extort their victims. Faketoken may have a goofy name, but this banking Trojan for Android devices is serious business.

Faketoken: From SMS thief to full-fledged banker

The banking Trojan Faketoken has been around for quite a while — back in 2014, it made our top 20 list of the most widespread mobile threats. Back then, the malware operated in concert with desktop banking Trojans. The desktop app hacked victims’ accounts and withdrew money, and Faketoken intercepted text messages with one-time passwords to confirm the transactions.

By 2016, Faketoken had become a full-fledged mobile banking Trojan, stealing money directly. It overlaid other apps with fake windows to trick users into entering their logins, passwords, and bank card info. It also functioned effectively as ransomware, blocking the infected devices’ screens and encrypting their files.

By 2017, Faketoken could mimic a lot of apps — mobile banking apps, e-wallets such as Google Pay, and even taxi service apps and apps for payment of fines and penalties — to steal bank account data.

An unexpected turn for Faketoken

Not long ago, our botnet activity monitoring system — Botnet Attack Tracking — detected that some 5,000 smartphones infected by Faketoken had started sending offensive text messages. That seemed weird.

SMS capability is in fact standard equipment for mobile malware apps, many of which spread through download links they send to victims’ contacts. In addition, banking Trojans often ask to become the default SMS application so they can intercept confirmation code messages. But for banking malware to turn into a mass texting tool? We had never seen that before.

SMS abroad — at your expense

Faketoken’s messaging activities are charged to the infected device owners. Before sending anything out, it confirms that the victims bank account has sufficient funds. If the account has the cash, then the malware uses the card to top up the mobile account before proceeding with messaging.

Many of the smartphones infected by Faketoken were texting a foreign number, so the messages the Trojan sent cost the users quite a bit.

Protecting yourself from Faketoken

We don’t yet know whether this Faketoken offensive is a one-off campaign or the beginning of a trend. For now, however, to avoid getting ensnared:

  • Install only applications distributed by Google Play, and use your phone’s settings to disable the downloading of apps from other sources.
  • Do not follow links from messages unless you are sure they are safe — even messages from people you know. For example, if someone who normally posts photos on social media or sends them through instant messaging apps instead sends you a text message with a link, that’s a red flag.
  • Install a reliable security solution.  detects and blocks Faketoken as well as many other mobile malware apps.
Tips