New Faketoken Trojan targets Taxi and Ride-Sharing App Users

Finalist for the 4th AppsAfrica Innovation Awards revealed
Finalist for the 4th AppsAfrica Innovation Awards revealed.
Mobile Apps
New version of Faketoken Android Trojan hunts for taxi and Ride-Sharing app users.

With the growth of the mobile app market and more apps requiring a user’s bank card information, cybercriminals are finding these apps attractive and they are now able to steal users credentials. Kaspersky Lab researchers have discovered a new modification of the mobile banking Trojan Faketoken. Cybercriminals have extended the functionality of the mobile banking malware.

The new version of Faketoken performs live tracking of apps and, when the user runs a specified app, overlays this with its phishing window to steal the bank card details of the victim. The Trojan has an identical interface, with the same colour schemes and logos, which creates an instant and completely invisible overlay. Based on the results of Kaspersky Lab’s research, the criminals are targeting the most popular international taxi and ride-sharing services with this malware.

Moreover, the Trojan steals all incoming SMS messages by redirecting them to its command and control servers, allowing criminals to get access to one-time verification passwords sent by a bank, or other messages sent by taxi and ride-sharing services. Among other things, this Faketoken modification can also monitor users’ calls, record them, and transmit the data to the command and control servers.

According to Kaspersky Lab, overlaying is a common function enabled in many mobile applications. Last year, Kaspersky Lab reported a modification of Faketoken that was attacking more than 2,000 financial apps around the world by disguising itself as various programmes and games, often imitating Adobe Flash Player. Since then, Faketoken has been developed further and has expanded the geography of its activities.

“The fact that cybercriminals have expanded their activities from financial applications to other areas, including taxi and ride-sharing services, means that the developers of these services may want to start paying more attention to the protection of their users. The banking industry is already familiar with fraud schemes and tricks, and its previous response involved the implementation of security technologies in apps that significantly reduced the risk of theft of critical financial data. Perhaps now it is time for other services that are working with financial data to follow suit. The new version of Faketoken targets mostly Russian users. However, the geography of attacks could easily be extended in the future. We have seen that with previous versions of Faketoken and other banking malware in the past,” said Viktor Chebyshev, security expert at Kaspersky Lab.

Researchers have also detected Faketoken attacks on other popular mobile applications, such as travel and hotel booking apps, apps for traffic fine payments, Android Pay and the Google Play Market.

To protect yourself against the Faketoken Trojan and other Android malware threats, Kaspersky Lab strongly recommends that users do not install apps from unknown sources and use a reliable security solution, such as Kaspersky Mobile Antivirus: Web Security & Applock on their device.

Read more about the new version of Faketoken Android malware on

Edited By: Fundisiwe Maseko
Follow Fundisiwe Maseko on Twitter
Follow on Twitter