Kaspersky discovers new version of Android Trojan that steals credentials from taxi and ridesharing app users

Researchers from cybersecurity company Kaspersky Lab reported on Thursday that they have discovered a new modification of the well-known mobile banking Trojan, Faketoken, which is now able to steal credentials from taxi and ridesharing app users.

Based on the results of Kaspersky Lab’s research, cybercriminals are targeting the “most popular international taxi and ridesharing services with this malware,” the company said in a press release.

Nowadays, more and more mobile app services are storing confidential financial data, including taxi services and ridesharing apps that require the user’s bank card information. These apps are installed on millions of Android devices worldwide, “making them attractive targets for cybercriminals, who have significantly extended the functionality of mobile banking malware,” the cybersecurity company said.

The new version of Faketoken performs live tracking of apps, and when a user runs a specified app, the Trojan overlays it with a phishing window to steal the victim’s bank card details. Faketoken has an identical interface, with the same colour schemes and logos, which creates an instant and completely invisible overlay, the company said, adding that overlaying is a common feature enabled in many mobile applications.

In addition, the Trojan steals all incoming SMS messages by redirecting them to its command and control servers, allowing criminals access to one-time verification passwords sent by a bank, or other messages sent by taxi and ridesharing services. This Faketoken modification can also monitor users’ calls, record them and transmit the data to the command and control servers, Kaspersky noted.

Last year, Kaspersky Lab reported a modification of Faketoken that was attacking more than 2,000 financial apps around the world by disguising itself as various programs and games, often imitating Adobe Flash Player. Since then, Faketoken has been developed further, and has expanded the geography of its activities.

“The fact that cybercriminals have expanded their activities from financial applications to other areas, including taxi and ridesharing services, means that the developers of these services may want to start paying more attention to the protection of their users,” suggested Viktor Chebyshev, security expert at Kaspersky Lab, in the release. “The banking industry is familiar with fraud schemes, and its solution of implementing security technologies in apps has significantly reduced the risk of theft of critical financial data. Perhaps now it is time for other services that are working with financial data to follow suit.”

While the new version of Faketoken targets mostly Russian users, “the geography of attacks could easily be extended, like we have seen with previous versions of Faketoken,” Kaspersky argued.

Researchers have also detected Faketoken attacks on other popular mobile apps, such as travel and hotel booking apps, apps for traffic fine payments, Android Pay and the Google Play.