back to article Bad news, fandroids: Mobile banking malware now encrypts files

Cybercrooks have outfitted ransomware functionality onto an already dangerous mobile banking Trojan. The modified Faketoken can steal credentials from more than 2,000 Android financial applications, security researchers at Kaspersky Lab warn. Based on telemetry, Kaspersky Lab estimates that Faketoken has claimed over 16,000 …

  1. Anonymous Coward
    FAIL

    You say...

    ."The malware serves to underline why you should not blindly hand over permissions to mobile apps as well as the importance of backing up data."

    But, but, but...If I don't give access to my media, contacts, phone settings, internet connection and location, my torch app simply won't work.

    No joke icon as it's no joke the permission people allow.

    1. fidodogbreath Silver badge
      FAIL

      Re: You say...

      I'm often appalled at the permissions that some apps demand. Access contacts, access storage, location, phone calls, emails, SMS...and, of course, full network access and run at startup. And let's not forget the infamous "permission creep," where each new update wants even more access.

      When those of us who care about security see crazy permissions, we go find a different app; but face it, we're a tiny minority. Nothing will change until general users start to pay attention, and refuse to install apps with excessive permissions that don't make sense for the app's stated function. Which is to say, nothing will change.

    2. cd

      Re: You say...

      Notice that the Play Store does nothing about that situation, so that users become accustomed to ridiculous permissions creep being the norm. There's no rating system for that, no mention of it until one goes to Install. One might wonder such behavior is being enabled by the proprietor.

      1. Chris G Silver badge

        Re: You say...

        I never use my Android for any financial transactions and won't keep data like that in the phone.

        It would be useful when downloading an app, to have the ability to delete those permissions you don't agree to, then the app can sayit will function or not. I keep the number of apps to a minimum because of so many asking for unecessary permissions, the couple I have paid for I contacted the developer and paid securely.

        1. cmaurand

          Re: You say...

          I haven't had any trouble denying permissions to apps. They ask you when you install them and you have a combo box (drop down menu) for each permission where you can accept or deny.

  2. Lord Elpuss Silver badge

    Android sits at both ends of the security scale. Normal consumer-grade security (on practically every Android handset) is appalling, and beaten into a shit sandwich by iOS*. At the other end, ultra-high security handsets are also Android, but very heavily customised. And you won't get one of those for less than 5 grand.

    * Not talking about crackability by everybody's favourite TLA agencies; I'm talking about trivially easy to crack by miscreants with the barest minimum of knowledge.

    1. Anonymous Coward
      Anonymous Coward

      Want to back that up with some evidence?

      I have never ever come across a single compromised Android handset, nor as iOS handset, and I have seen literally tens of thousands. Android security is actually very very good. especially if your handset manufacter pushes out patches (and most do). Don't confuse old Android versions with unpatched Android versions. Even old versions of Android get security patches, and most of the major security enhancements (like on-demand permission granting) are now pretty mainstream on all but the oldest handsets.

      Given that the vast majority of the billions of Android devices are locked into only getting apps from Google Play, you have to jump through some pretty big hoops and go out of your way to have a problem. This is likely exactly what Kaspersky did to "get" this malware.

      1/ You need to enable sideloading apps.

      2/ You need to have disabled and opted out of Google app scanning.

      3/ You needed to find this dodgy app online somewhere and install it.

      4/ You needed to grant envasive permissions.

      There are likely more layers of security I didn't mention also....

      1. Lord Elpuss Silver badge

        Are you serious?

        http://www.theregister.co.uk/2016/12/20/faketoken_mobile_banking_malware/

        http://www.theregister.co.uk/2016/12/14/persistent_ad_and_dialler_trojans_found_on_28_android_phones/

        http://www.theregister.co.uk/2016/10/21/linux_privilege_escalation_hole/

        http://www.theregister.co.uk/2016/12/07/information_request_finds_uber_is_watching_your_battery_charge/ (still shit security)

        http://www.theregister.co.uk/2016/11/30/gooligan_android_malware/

        And that's just from this website, since the beginning of December.

        Oh, and then there's this beauty:

        http://www.theregister.co.uk/2016/08/08/latest_androids_have_god_mode_hack_hole/

        The list goes on and on and on. There are tens of thousands of vulnerabilities for Android just waiting to catch the unwary, and that's not even before we get started on the raison d'etre of the whole operating system, which is to assimilate as much data as it can on you for marketing purposes.

        If you haven't figured this out by now, you're an idiot.

        1. Anonymous Coward
          Anonymous Coward

          You are both right! Now, stop this fighting, or I'm turning this news site around and we are GOING HOME!

          Android has a high number of vulns that do nasty things with your device and data, but only if you; 1) sideload crapware onto your device, 2) have an old Android device from a 3rd party, like Samsung, who never bothers to release any updates because you're supposed to buy a new phone every year (I did, I got an iPhone 6s+, you dickheads) AND do item 1, or 3) are just plain stupid and load and reply yes to everything the mobe tells you to, ALA item 1, like an idiot.

          Apple and Google do a fair job of keeping malware out of the main App download stores, the bulk of problems are coming from sideloading, pillheads in Easter Bloc Countries℠ who also like to drink various skin lotions and such. I don't know about all that, but it sounds dangerous, and fun all at once. Carry on.

          1. Anonymous Coward
            Megaphone

            I hate this statement so much

            "1/ You need to enable sideloading apps."

            So choice.

            1. Use Googles walled garden and only their walled garden.

            or

            2. You're on your own.

            So Amazon is no good then?

            It's a utterly contemptible attitude. Image the uproar if Microsoft said "Sorry, you can only use programs from the Microsoft store, unless you turn of the restriction. At which point, if you get a virus, it's your own stupid fault. Oh BTW if you want a patch, you'll need to speak to your pc maker and hope they roll one out. If not buy a new pc, or just take your chances."

            Patches for OS's should NEVER rely on the hardware manufacturer. That was an utterly stupid, lazy idea from the start,

            1. Anonymous Coward
              Anonymous Coward

              "So Amazon is no good then?"

              No - Amazon is a sinkhole for the unwary when it comes to Android apps. It routinely lists apps apparently without any form of malware scanning etc. and fails to take them down when advised that the listing is fraudulent.

  3. Walter Bishop Silver badge
    Linux

    Mobile banking malware ..

    "The modified Faketoken can steal credentials from more than 2,000 Android financial applications, security researchers at Kaspersky Lab warn."

    How does this modified Faketoken get onto the phone in the first place, without the enduser opening an email attachment or visiting a malicious URL?

    "Faketoken poses as various programs and games, including Adobe Flash Player. During the initial infection process, the Trojan demands administrator rights, permission to overlay other apps or to be a default SMS application – often leaving users with little or no choice but to comply."

    Ah, thanking you for that explanation down in the fourth paragraph. Shouldn't there be a hardware reset key on these devices that resets the software back to a pristine state, without deleating your address book and photos of your cats?

    1. DougS Silver badge

      Reset key

      There is, its whatever the "clear and reset everything" item is called on Android, followed by copying back your contacts, photos etc. from the cloud or backup.

      That will fix the ransomware aspect, but it can't unsteal your credit card, bank password and so forth.

      1. Anonymous Coward
        Anonymous Coward

        Re: Reset key

        Quote: "..but it can't unsteal your credit card, bank password and so forth.

        What banking apps on mobile use the same credentials as your online accounts?

        Genuine question, as to me that would be a sign of incompetence with your bank or credit card company if that was the case!

        I've used several financial apps over the years, banks, credit cards, and not one has ever used my online security details, you've usually had to set a separate mobile password or pin, that is only used by the mobile app, and more recently multi factor auth.

        Not saying its perfect or anything, but no breach of a mobile app should enable access to the online services.

        1. Anonymous Coward
          Anonymous Coward

          Re: Reset key

          I think he's referring to fetching or otherwise snooping the session data that flows between bank customer's smartphone, and the bank's customer APIs, and not the use of a single data object as a factor in all forms of secure communication with the bank. Like using the PIN as your password, or other such sillyness. By hijacking, or otherwise subverting the app to bank session, you can theoretically take over or steal the session credentials and make extra transfers, etc, by posing or reusing the app itself, and you don't even need the password string.

          There is also a reset mechanism built into Android phones, at least my Sammys had this; when you power it on, or restart it, holding down the Up Volume key (I forget the exact one. You'll find it) will invoke a setup mode where you can factory reset the phone and some other low-level functions. I had to use this when after several updates, without ever rebooting the tablet, it got stuck in a reboot loop and would never start up all the way. Resetting back to (choco) factory default settings fixed it.

  4. Anonymous South African Coward Silver badge

    Frankentoken more likely...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019