Android/FakeToken.A is a malicious application that pretends to be a security token used as a second factor of authentication in online banking transactions but in fact it is an application that executes commands from a C&C server. Prior the installation, Android/FakeToken.A requires the following suspicious permissions: SEND_SMS, RECEIVE_SMS, INSTALL_PACKAGES, DELETE_PACKAGES, READ_CONTACTS and RECEIVE_BOOT_COMPLETED.
When an electronic transaction is performed with the original password, an SMS with a second factor of authentication is sent to the user’s device. Android/FakeToken.A intercepts all the incoming SMS messages and checks if the originating number and message body belongs to one of the messages stored in the “catch SMS list”. If the received SMS message is in the list, the second factor of authentication stored in the SMS message is sent to the remote server and, if it is configured in that way, it is also sent as an SMS to the number specified in the configuration file. In the same way if the SMS content is in the “delete” list, the message is removed from the device.
Android/FakeToken.A registers a system event in order to schedule the execution of itself at some point in the future (the alarm time and period is defined in a configuration file). When the alarm goes off, a service that runs in the background is started. The service creates and executes a thread that listens for commands sent from the remote servers specified in the configuration file. The commands allow the execution of the following actions:
1. Add Command and Control servers.
2. Update the number that receives the initial SMS with the password entered by the user.
3. Remove all the SMS filters in order to capture and send all the received SMS to the C&C server.
4. Add/delete SMS numbers from the “catch” and “delete” list
5. Send the contact list to a remote server
6. Force an update of the malware by downloading an apk from a remote server and install it by tricking the user into believing that it is a legitimate update of the fake token application. The title and the text of the notification are sent by the Command and Control server.