Malware in this family steals a user’s one-time banking password and is used in combination with Trojans. When the user is logged in to an online bank, the Trojans inject code into the web page. The web browser window, which is displaying the page of the online bank, asks the user to download an Android app. The user is falsely informed that the app is necessary for making safe banking transactions, and the page is modified to display a link to the Faketoken Trojan. When the downloaded malware is run on the user’s smartphone, the cybercriminal uses the malware to obtain access to the user’s bank account. Faketoken enables the cybercriminal to intercept one-time mTAN (mobile transaction authentication number) codes and transfer the user’s money to other accounts.
Malware in this family was first identified in late March 2013.
Geographical distribution of attacks by the Trojan-Banker.AndroidOS.Faketoken family
Geographical distribution of detections during the period from 21 July 2014 to 24 July 2015
Top 10 countries with most attacked users (% of total attacks)
* Percentage of all unique Kaspersky Lab users attacked by this malware