{"id":8778,"date":"2017-08-17T02:30:06","date_gmt":"2017-08-17T10:30:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/17\/news-2551\/"},"modified":"2017-08-17T02:30:06","modified_gmt":"2017-08-17T10:30:06","slug":"news-2551","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/17\/news-2551\/","title":{"rendered":"Taxi Trojans are on the way"},"content":{"rendered":"

Credit to Author: Alex Drozhzhin| Date: Thu, 17 Aug 2017 09:32:29 +0000<\/strong><\/p>\n

\tYou’re in a hurry, trying to get to work, a business meeting, a date. So you launch your favorite app for booking a taxi as usual, but this time, it prompts you to enter your credit card number. Does that seem suspicious? It may not \u2014 apps forget information, and all you have to do is add your card number again.\t\t<\/p>\n

\tHowever, after some time you notice money disappearing from your account. What happened? You may be the unlucky winner of a mobile Trojan. This kind of malware has been caught recently stealing bank data by impersonating the interfaces of taxi-booking apps<\/a>.\t\t<\/p>\n

\"\"<\/a> <\/p>\n

\tThe Faketoken Trojan has existed for a long time, and it has been upgraded for many years. Our experts named the current version “Faketoken.q,” and by now it has learned a significant number of tricks.\t\t<\/p>\n

\tAfter getting onto a smartphone (judging by the malware icon, Faketoken infiltrates smartphones through bulk SMS messages with a prompt to download some picture) and installing the necessary modules, the Trojan hides its shortcut icon and starts background monitoring of everything that happens in the system.\t\t<\/p>\n

\"\"<\/a><\/p>\n

The icon of the installed Faketoken Trojan<\/p>\n<\/div>\n

\tFirst, the Trojan is interested in the user’s calls. As soon as it detects a call, it starts recording. When the call is finished, Faketoken sends the recording to the criminal’s server. Second, the Trojan also checks which apps the smartphone’s owner uses.\t\t<\/p>\n

\tWhen Faketoken detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with its own screen. To achieve that, it uses a standard Android feature that supports showing screen overlays on top of all other apps<\/a>. A whole bunch of legitimate apps, such as messengers, window managers, and so on, use this feature.\t\t<\/p>\n

\tThe overlaying window matches the colors of the original app’s interface. In this window, the Trojan prompts the user to enter the number of his or her credit card, including the verification code from the back of the card.\t\t<\/p>\n

\"\"<\/a><\/p>\n

The Faketoken.q Trojan impersonates taxi-booking apps popular in Russia<\/p>\n<\/div>\n

\tActually, Faketoken.q is after a huge variety of apps that have one thing in common: in them, a request to enter payment data looks normal enough not to arouse suspicion. Among the attacked apps are a number of mobile banking apps, Android Pay, the Google Play Store, apps for booking flights and hotel rooms, and apps for paying traffic tickets \u2014 as well as apps for booking taxis.\t\t<\/p>\n

\tDuring the very stage of stealing money from the user, Faketoken resorts to another ruse<\/a>, intercepting all incoming SMS messages, hiding them from the user, and forwarding them to the criminals’ server, where one-time passwords for payment confirmation from those messages are extracted.\t\t<\/p>\n

\n

How banking Trojans bypass two-factor authentication<\/a><\/p>\n<\/blockquote>\n