Security

New Faketoken Android malware records calls, intercepts texts, and steals credit card info

A new version of Faketoken was identified by Kaspersky and poses a huge threat to anyone who stores bank card information for in-app purchases.

A year-old piece of Android malware has begun to evolve, taking it from low-level nuisance to serious security threat.

Called Faketoken, the malware is able to record phone calls, intercept and redirect text messages, and put screen overlays on an estimated 2,000 apps to fake payment information windows.

Kaspersky labs reports that Faketoken has been mainly spotted in Russia but also notes that its evolution has kept pace with its spread around the globe.

If you use Android this is definitely one to be worried about.

How the Faketoken malware spreads

Kaspersky, which identified the malware, hasn't fully reconstructed the infection process yet, but evidence points to Faketoken spreading through bulk SMS messages that prompt users to download images.

Once on the system the malware obfuscates its existence, installs itself, hides its icon, and gets to work monitoring which apps are being used and which messages are being received, and it records every phone call, which it then sends to its command and control (C&C) server.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

Recording phone calls is insidious enough, but that's not Faketoken's main objective: Its goals are to steal credit card numbers and intercept two-factor authentication text messages.

No one expects a sinister overlay

How many apps on your Android device store credit or debit card information? If you're like the average mobile user, the answer is probably at least a few. Those apps sometimes forget info, update and need it reentered, or otherwise ask for verification on occasion, which is exactly what Faketoken aims to exploit.

The roughly 2,000 apps mentioned earlier are all spoofable by Faketoken, which goes a step further in making its spoof pages look realistic: It uses app overlays to trick you into thinking they're legitimate.

android-overlay.jpg

Two examples of overlays in one image: The purchase window for buying an item on Google Play, and the overlay demonstrating how to edit a screenshot.

Image: TechRepublic/Brandon Vigliarolo

The apps that Faketoken monitors all support linking bank cards for in-app purchases, Kaspersky researchers said. When Faketoken detects one of those apps running, it substitutes its fake UI and overlay on top of the real app, and it happens pretty much instantly.

That doesn't leave much time for users to realize what's going on.

In order to complete the process of stealing credentials, Faketoken monitors incoming text messages so it can catch one-time passwords before they arrive in the phone's SMS inbox. It redirects them to its C&C server, and with that the hack is complete: Hackers now have your credit card info, expiration dates, CVV, and the one-time password needed to verify enrollment.

Faketoken is still new

Kaspersky is pretty sure that the version of Faketoken it examined were early tests, but it warns of more advanced versions to come, and it's entirely possible those versions are already in the wild.

SEE: How cybercriminals are using Android security bulletins to plan attacks (TechRepublic)

There's nothing new to be said regarding protecting yourself: Don't install third-party apps, don't download attachments from unknown sources, and keep an anti-malware app installed on your device.

As the amount of mobile malware continues to rise, sophisticated threats like Faketoken are likely to become more and more common. It can be anxiety-inducing to think of all the ways someone can steal your personal information, and ultimately a balance between convenience and security has to be struck.

Security best practices may add a few steps to everyday tasks, but they're essential when hackers are getting better and better at disguising their malware.

Top three takeaways for TechRepublic readers:

  1. Kaspersky labs has identified a new evolution of a previously known Android malware called Faketoken. This new version can record phone calls, intercept text messages, and spoof app overlays to steal credit card information.
  2. While the Faketoken analyzed by Kaspersky may be an early version, there's no way of knowing if a more advanced version already exists.
  3. Protecting your personal information on an Android device is possible, and it's nothing unique or new. Install anti-malware software, disable third-party app installation, and don't download attachments from unknown senders.

Also see:

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox