FakeToken
A new piece of malware was discovered by security researchers at McAfee, one that primarily targets Android systems. The app can remotely steal a user’s banking credentials from the user’s mobile device, without even triggering anti-malware apps.
As explained by McAfee researcher Carlos Castillo in a blog post, the application, dubbed FakeToken, targets major financial institutions by posing as a Token Generator app. When the application is installed, the malware even goes so far to mimic the targeted bank’s logo and color scheme, adding a certain credibility to the scheme, and making it hard for users to distinguish between the legitimate and the malicious applications.
When running the application, users are presented with a WebView component that displays an HTML/JavaScript webpage, which is supposed to be an official Token Generator. The user is initially prompted to enter the first factor of authentication that is used to obtain access to the banking account. The application shows an error if this step is not completed. On clicking “Generar” (Generate, the malware is targeted to the users of Spanish banks), the app shows a fake token (in fact, a random number), and then proceeds to send the password to a specific cell phone number along with the device’s IMEI and IMSI numbers. The same information is also sent to a control server along with more data such as the device’s phone number. The malware gets the list of control servers in an XML file inside the original APK.
McAfee’s Castillo added that the malware also contains commands to update itself, spy on the infected system, and create a schedule to auto-run at a later date. The app retrieves all the contact information stored on the phone and serializes this information to send it to a control server.
The security researcher warned that similar malware that target other banking institutions are constantly evolving and with the ever-increasing popularity of Android and mobile banking applications, we can expect even more threats of this kind to appear.
Do you use mobile banking? What, if any, security features would you recommend to avoid problems with malware in the future?
