In the case of the Riltok Trojan (the name comes from ‘Real Talk’), the attack scenario generally starts with a user receiving an SMS-message with a link to a fake website that closely resembles a popular website for free classified advertising. The website invites the user to install the new version of the service’s mobile app, which is, in fact, the Riltok malware. Once the malware is downloaded and receives the necessary permissions from the infected victim, it appoints itself the default app for receiving and viewing SMS. This lets the attackers see all SMS-messages, including confirmation codes for bankcard operations, and also to send SMS to other numbers for onward propagation.
The main functions of the malware include:
Kaspersky experts have detected around 4,000 users hit by this malware to date, mainly in Russia, but also in Italy, France and the UK.
“We’ve been watching how the Riltok malware is being distributed slowly but steadily across Russia and we expect to see a rise in attacks as the cybercriminals behind this threat extend their reach to new countries and continents, starting with Europe. We’ve observed this scenario many times before; in our experience, once threat actors create a successful malware and test it in Russia, they adapt it for foreign victims and explore new territories. Usually such threats end up going global,” – said Tatyana Shishkova, security researcher at Kaspersky.
Kaspersky products detect the threat as Trojan-Banker.AndroidOS.Riltok.
Read more about Riltok Banking Trojan on Securelist.com