Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Faketoken, the Android ransomware banker that encrypted files

The banker Android ransomware Faketoken that steals financial information and sensitive data now also implements file-encrypting abilities. Security experts from Kaspersky Lab have spotted a strain of known Android malware that now implements also ransomware-like abilities. According to the researchers, Vxers are adding file-encrypting capabilities to traditional mobile banking trojans, the result is a malware that […]

Faketoken, the Android ransomware banker that encrypted files

The banker Android ransomware Faketoken that steals financial information and sensitive data now also implements file-encrypting abilities.

Security experts from Kaspersky Lab have spotted a strain of known Android malware that now implements also ransomware-like abilities. According to the researchers, Vxers are adding file-encrypting capabilities to traditional mobile banking trojans, the result is a malware that is able both to steal sensitive data and lock user files on the phone’s SD card.
This malware with hybrid capabilities is also called ransomware banker.The ransomware functionality in mobile banking Trojans is considered an exception, the Svpeng malware discovered in 2014 is one of the first malware with this ability. The modern mobile ransomware doesn’t limit their actions to block the screen, but it also encrypts user files.The trojan discovered by Kaspersky is dubbed Faketoken, the name suggests its primary feature is to steal login credentials by generating fake login screens for more than 2,000 financial applications. Faketoken is also able to steal credit card information by displaying victims displays phishing pages.

Faketoken phishing page

Researchers noticed that file-encrypting capabilities were implemented in Faketoken since July and have since released thousands of versions that include new features.

“We have managed to detect several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016.” reads a blog post published by Kaspersky. 

Trojan-Banker.AndroidOS.Faketoken is distributed under the guise of various programs and games, often imitating Adobe Flash Player.”

The researchers confirmed the number of the victims exceeds 16,000 users, they observed infections in 27 countries, mostly in Russia, Ukraine, Germany, and Thailand.

Faketoken uses an AES symmetric encryption algorithm to encrypt the files, this is a good news for the victims that have a chance of decrypting them without paying a ransom.

“The Trojan receives the encryption key and the initialization vector from the C&C server. The encrypted files include both media files (pictures, music, videos) and documents. The Trojan changes the extension of the encrypted files to .cat.” continues the analysis.

The researchers highlighted the fact that file encryptions are not popular with the mobile malware developers because most files stored on a mobile device are usually copied to the cloud.

For more in on Faketoken give a look at the technical analysis published by Kaspersky.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Faketoken, ransomware banker)

[adrotate banner=”13″]