COVID-19 has awakened Faketoken

COVID-19 has awakened Faketoken

Over 2,000 Android users are falling victim to the malware every day
April 17, 2020

BI.ZONE has recorded a surge in the Faketoken malware activity across the Russian segment of the Internet. The malicious program Trojan-Banker.AndroidOS.Faketoken steals money from Android users, disguising itself as a popular application from an online trading platform.

Faketoken first appeared in 2012. The only feature of its first version was to capture SMS passwords from online banks. Over 8 years of evolution the malware acquired more capabilities. Faketoken in 2020 is able to capture SMS on a device, transfer messages to the criminals’ server and display phishing windows over legitimate applications in order to collect bank card details. A distinctive feature of this latest version is the ability to prevent deletion of the malware from the device using anti-virus programs. However, it is still possible to delete Faketoken, i.e., through the operating system’s safe mode.

BI.ZONE experts believe, this new arrival of the trojan to Russia is connected with the large-scale transition to remote work. People are staying home, online trade is growing more popular, and criminals are taking advantage of this situation. At present time Faketoken botnet includes over 10,000 devices. The criminals register up to 7 new phishing domains every day to spread this malware.

Most infections follow a standard pattern. A user places an advertisement on an online trade site and receives an SMS or a notification to a messenger with a link to a phishing site. The user clicks the link and downloads an APK setup file that looks exactly like the application of this online trade site. After the user runs the file and grants the rights to the malware, the criminals get to manage the infected device. Later, when the victim enters a legitimate application (e.g., a mobile bank or a taxi service), the trojan requests to enter bank card details under a false pretext and captures the SMS password. Using this information, the criminals steal the user’s money.


Faketoken is spreading very quickly. Every day the trojan is infecting over 2,000 devices. To avoid becoming a victim, do not click on any links from suspicious sources, download and set up applications from official stores only and keep Google Play Protect enabled. Use an anti-virus and keep it up-to-date to reduce the risk of infection
Evgeny Voloshin
CISO of BI.ZONE