Android/FakeToken 2.0 Goes Back to Basics

In March a new type of financial attack on Android devices was found targeting customers of several banks in Europe. Dubbed FakeToken, one of the principal differences of this new threat–compared with previous Trojan bankers for Android such as Zitmo/Spitmo–was the fact that both authentication factors (Internet password and mTAN) were stolen directly from the mobile device. In this case the cybercriminals had no need to first infect PCs to steal bank account passwords.

Recently a new version of this malware was found being distributed through phishing emails pretending to be sent by the targeted bank. According to an alert published by the affected bank, the malware attack simulates the real Internet banking site by asking for confidential information like personal email and phone number. This information is used to initiate the mobile attack.

Another technique used to distribute this malware includes injecting web pages from infected computers, simulating a fake security app that presumably avoids the interception of SMS messages by generating a unique digital certificate based on the phone number of the device. The fake web page provides a URL that is intended to be entered into the mobile browser, prompting the user to download/install the malware on the mobile device.

Finally, a third version injects a phishing web page that redirects users to a website pretending to be a security vendor that offers the “eBanking SMS Guard” as protection against “SMS message interception and mobile Phone SIM card cloning.”

Once the application is downloaded and the user tries to install it, the malware requests almost the same permissions as the first version, but the application doesn’t access the contact list. This change was likely made to avoid raising suspicions.

Another difference between the two versions is the name that the malware authors used for the malicious application. Instead of naming it “TokenGenerator,” the new version gives the look and feel of security software for protecting SMS messages received by the customer.

When the user executes the application, the malware shows a WebView component displaying an HTML/JavaScript web page that pretends to be an mToken app and not the “SMS Guard” used in the name. Instead of asking the user to enter the first factor of authentication this version shows just the fake mToken, which suspiciously never changes.

At the same time, the malware sends to a specific number an SMS message with the device identifier (IMEI) of the affected device. The same identifier, along with others like the IMSI and phone number, are also sent to a remote server to register the infected device in the control server of the attacker. From this point, all SMS content received by the infected device is sent to a remote server and to the phone number specified in the configuration file inside the original APK file.

Taking into account this new version of FakeToken and the recent version of Zitmo, it’s clear that Android Trojan bankers are becoming more prevalent. This is partially due to the increased adoption of mobile banking as well as the constant evolution of cybercriminal methods. By targeting different financial entities and changing their methods, cybercriminal attacks appear more credible (by removing excess functions) to victims and more effective in getting mTANs by intercepting all the SMS messages received by the affected user.

McAfee Mobile Security detects this threat as Android/FakeToken.B and alerts mobile users if it is present on their devices, while protecting them from any data loss. For more information about McAfee Mobile Security, visit