Experts of “Kaspersky Lab” has detected a new modification of the mobile banking Trojan Faketoken, which is able to not only block a device’s screen, extorting money, but also encrypt with the same purpose, the user’s files. Under the guise of different games and programs, including AdobeFlash Player, the malware steals information from more than 2 thousand financial apps for Android, told CNews in “Kaspersky Lab”. According to the company, Faketoken victims were more than 16 thousand people in 27 countries. Mostly users from Russia, Ukraine, Germany and Thailand.
According to experts of “Kaspersky Lab”, the ability to encrypt information not typical for a banking Trojan. Most mobile malware is ransomware to block the device itself, not the data on it, because those are usually stored also in the cloud. Faketoken also encrypts data, and the documents and media files (images, music and videos). The Trojan uses a symmetric algorithm AES, which leaves the user a chance to data to be decrypted without paying the ransom.
“the fact is that in this algorithm for encoding and decoding of information, used the same cryptographic key that remains on the device after encryption. Besides, due to the popularity of AES there are many programs to encrypt and decrypt with it”, — explained in the company.
When infected by the Trojan requests device administrator privileges, the right to block the Windows of other applications or become the default app for handling SMS. In case of failure a dialog box is restarted again and again, so often the user just have to agree.
Trojan steals data in almost any language: after rights are obtained, the malware loads the database with the phrases in 77 languages, for different locations of the device. Faketoken uses this phrase to generate phishing emails and steal passwords from Gmail accounts. It is also able to close the window the Google Play Store to steal credit card information of the victim.
“Last modification Faketoken interesting because some of the new features do not give tangible benefits to the attacker. The benefits of encryption are questionable, because usually the user has backup data in the cloud. This does not mean that we should ignore such changes; perhaps they are designed for inexperienced users who are ready without hesitation to pay the ransom. In addition, the modification can be the basis for future improvement of the Trojan step towards the development of a continuously evolving, successful family of malware. Talking about the threat, we help people keep their devices and data safe,” commented anti-virus expert “Kaspersky Lab” Roman Unuchek.
“Kaspersky Lab” has detected a few thousand packages Faketoken that can encrypt data. The earliest of them dates to July 2016 Protective products detect and block all modifications of the Trojans family Faketoken.
No comments:
Post a Comment