\tThe Faketoken Trojan has existed for a long time, and it has been upgraded for many years. Our experts named the current version \u201cFaketoken.q,\u201d and by now it has learned a significant number of tricks.\t\t<\/p>\n
\tAfter getting onto a smartphone (judging by the malware icon, Faketoken infiltrates smartphones through bulk SMS messages with a prompt to download some picture) and installing the necessary modules, the Trojan hides its shortcut icon and starts background monitoring of everything that happens in the system.\t\t<\/p>\n
![\"\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/08\/17052949\/faketoken-installed.jpg\")
<\/a>The icon of the installed Faketoken Trojan<\/p><\/div>\n
\tFirst, the Trojan is interested in the user\u2019s calls. As soon as it detects a call, it starts recording. When the call is finished, Faketoken sends the recording to the criminal\u2019s server. Second, the Trojan also checks which apps the smartphone\u2019s owner uses.\t\t<\/p>\n
\tWhen Faketoken detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with its own screen. To achieve that, it uses a standard Android feature that supports showing screen overlays on top of all other apps<\/a>. A whole bunch of legitimate apps, such as messengers, window managers, and so on, use this feature.\t\t<\/p>\n \tThe overlaying window matches the colors of the original app\u2019s interface. In this window, the Trojan prompts the user to enter the number of his or her credit card, including the verification code from the back of the card.\t\t<\/p>\n The Faketoken.q Trojan impersonates taxi-booking apps popular in Russia<\/p><\/div>\n \tActually, Faketoken.q is after a huge variety of apps that have one thing in common: in them, a request to enter payment data looks normal enough not to arouse suspicion. Among the attacked apps are a number of mobile banking apps, Android Pay, the Google Play Store, apps for booking flights and hotel rooms, and apps for paying traffic tickets \u2014 as well as apps for booking taxis.\t\t<\/p>\n \tDuring the very stage of stealing money from the user, Faketoken resorts to another ruse<\/a>, intercepting all incoming SMS messages, hiding them from the user, and forwarding them to the criminals\u2019 server, where one-time passwords for payment confirmation from those messages are extracted.\t\t<\/p>\n How banking Trojans bypass two-factor authentication<\/a><\/p><\/blockquote>\n![\"\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/08\/17052952\/faketoken-stealing-interface-1024x819.jpg\")
<\/a>