For Consumer

Virus Profile: Android/FakeToken.A

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/10/2012
Date Added: 3/19/2012
Origin: N/A
Length: N/A
Type: Malware
Subtype: PDA Device
DAT Required: N/A
Removal Instructions
   
 
 
   

Description

Android/FakeToken.A is a malicious application that pretends to be a security token used as a second factor of authentication in online banking transactions but in fact it is an application that steals banking credentials and executes commands from a C&C server in order to leak sensitive data (SMS messages, contact list) and download/install other applications.

Indication of Infection

• Appears to be a security token used as a second factor of authentication in online banking transactions.

• Intercepts received SMS with mTANs in order to send them to a remote server.

• Sends the contact list to the C&C server.

• Obtains and sends device information (IMEI, IMSI, phone number) to a remote server.

• Downloads and installs other applications.

Methods of Infection

This malware requires that the user intentionally install it upon the device. Users should never install applications from unknown or un-trusted developers. This is especially true for illegal software, such as cracked applications—they are a favorite vector for malware infection.
   

Virus Characteristics

Android/FakeToken.A is a malicious application that pretends to be a security token used as a second factor of authentication in online banking transactions but in fact it is an application that executes commands from a C&C server. Prior the installation, Android/FakeToken.A requires the following suspicious permissions: SEND_SMS, RECEIVE_SMS, INSTALL_PACKAGES, DELETE_PACKAGES, READ_CONTACTS and RECEIVE_BOOT_COMPLETED.

Once it is installed, Android/FakeToken.A places an icon with the icon of a specific bank in the main application menu. When the application is executed, Android/FakeToken.A shows a WebView user interface (HTML/JavaScript webpage) that asks for the principal banking password in order to generate the fake security token. If the user clicks on “Generar” (Generate) and the main password is not provided, the application shows an error message. If the password is provided, the fake webpage provides a random number as a mobile token. At the same time Android/FakeToken.A sends a SMS message to a specific number (stored in a XML configuration file inside the original apk file) with the first password, the device identifiers (IMEI/IMSI) and a prefix to identify the user’s bank. The same information is also sent a remote server via an HTTP request.

When an electronic transaction is performed with the original password, an SMS with a second factor of authentication is sent to the user’s device. Android/FakeToken.A intercepts all the incoming SMS messages and checks if the originating number and message body belongs to one of the messages stored in the “catch SMS list”. If the received SMS message is in the list, the second factor of authentication stored in the SMS message is sent to the remote server and, if it is configured in that way, it is also sent as an SMS to the number specified in the configuration file. In the same way if the SMS content is in the “delete” list, the message is removed from the device.

Android/FakeToken.A registers a system event in order to schedule the execution of itself at some point in the future (the alarm time and period is defined in a configuration file). When the alarm goes off, a service that runs in the background is started. The service creates and executes a thread that listens for commands sent from the remote servers specified in the configuration file. The commands allow the execution of the following actions:

1. Add Command and Control servers.

2. Update the number that receives the initial SMS with the password entered by the user.

3. Remove all the SMS filters in order to capture and send all the received SMS to the C&C server.

4. Add/delete SMS numbers from the “catch” and “delete” list

5. Send the contact list to a remote server

6. Force an update of the malware by downloading an apk from a remote server and install it by tricking the user into believing that it is a legitimate update of the fake token application. The title and the text of the notification are sent by the Command and Control server.

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95