By now, Android users know that they should avoid installing apps from third-party websites and unsolicited download prompts. Those who do not take security seriously end up having to deal with malware that can potentially cost them thousands of dollars. Faketoken, a one-year-old malware strain, recently evolved into a serious security threat, according to Kaspersky Labs.

Faketoken Is No Joke

Faketoken, according to various reports, used to cause low-level infections. It has recently been upgraded by its developers, and now has a better attack mechanism and reaches a lot more people.

Kaspersky researchers were not able to reconstruct the events leading to an infection, but believe the malware sneaks onto smartphones through bulk SMS message campaigns that prompt users to download pictures. Those that do so get infected.

Once on the system, Faketoken obfuscates itself by hiding its shortcut icon. It then remains undetected while monitoring which apps the user opens, which messages are being received, phone calls, and the like, and sends all that information to its command and control (C&C) server.

Notably, the Faketoken malware can put screen overlays on an estimated 2,000 apps to trick users into handing its admins their credit card info. When a user launches one of these applications, the malware substitutes the app’s UI with a fake one. The substitution is instantaneous so the user is completely unaware. The damage can be significant, as all of these apps support linking bank cards. Kaspersky stated:

“It should be noted that all of the apps attacked by this malware sample have support for linking bank cards in order to make payments. However, the terms of some apps make it mandatory to link a bank card in order to use the service.”

Since most of these apps require two-factor confirmation through an SMS code, fraudsters complete the process by having Faketoken monitor incoming text messages to catch one-time passwords and redirect them to its server before the user ever sees them.

More Advanced Version to Come

Kaspersky Labs warned that this version of Faketoken is still rather new, and that more advanced versions are to be expected. In fact, those versions may already be out in the wild. To protect yourself against this and other types of malware, be very careful with attachments from unknown sources, do not install apps from third-party sources, and use an anti-malware app.

Faketoken’s screen overlays indicate that the version Kaspersky tested was still unfinished, as it contained formatting errors that would make it obvious to the victim that something is off. Interestingly, the malware has been mainly spotted in Russia and other ex-Soviet countries. The researchers stated:

“To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions. According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries.”