Detect Date 08/20/2015
Class Trojan-Banker
Platform AndroidOS

Malware in this family steals a user’s one-time banking password and is used in combination with Trojans. When the user is logged in to an online bank, the Trojans inject code into the web page. The web browser window, which is displaying the page of the online bank, asks the user to download an Android app. The user is falsely informed that the app is necessary for making safe banking transactions, and the page is modified to display a link to the Faketoken Trojan. When the downloaded malware is run on the user’s smartphone, the cybercriminal uses the malware to obtain access to the user’s bank account. Faketoken enables the cybercriminal to intercept one-time mTAN (mobile transaction authentication number) codes and transfer the user’s money to other accounts.

Malware in this family was first identified in late March 2013.

Geographical distribution of attacks by the Trojan-Banker.AndroidOS.Faketoken family


Geographical distribution of detections during the period from 21 July 2014 to 24 July 2015

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 Russian Federation 86.60
2 Kazakhstan 3.82
3 Ukraine 3.47
4 Belarus 1.45
5 Uzbekistan 0.51
6 Germany 0.42
7 Azerbaijan 0.32
8 India 0.27
9 Kyrgyzstan 0.25
10 Tajikistan 0.25

* Percentage of all unique Kaspersky users attacked by this malware

Find out the statistics of the threats spreading in your region