Riltok banking trojan begins targeting Europe

News by Robert Abel

Riltok is distributed from infected devices via SMS, disguised as apps for popular free ad services in Russia

The Riltok banking trojan, originally intended to target Russians, has, after a few modifications, set its sights on the European market.

The malware has more recently diverted four percent of its traffic to France and even smaller percentages to Italy, Ukraine and the UK, although 90 percent of its victims in Russia, according to a Kaspersky blog post on 25 June.   

Riltok is distributed from infected devices via SMS, disguised as apps for popular free ad services in Russia. Victims typically receive an SMS containing a malicious link pointing to a fake website that appears to be a popular free ad service.

They are then prompted to download a "new version" of the mobile app, which is actually the trojan. To install the phony app, a victim must permit the installation of apps from unknown sources in the device settings.

Riltok asks the user for permission to use special features in AccessibilityService and if the user ignores or declines the request, the window keeps opening ad infinitum. 

Once the malware has obtained the desired rights, the trojan sets itself as the default SMS app (by independently clicking Yes in AccessibilityService) before vanishing from the device screen.

Once a device is infected, the malware actively communicates with its Command and Control servers and receives various commands. 

Researchers noted the malware sends data about the device  including the IMEI, phone number, country, mobile operator, phone model, availability of root rights, OS version, list of contacts, list of installed apps and incoming SMS.

Some of the operations found in the malware’s library include:

  • Get address of cybercriminal C&C server
  • Get configuration file with web injects from C&C, as well as default list of injects
  • Scan for app package names that generated AccessibilityEvent events in the list of known banking/antivirus/other popular apps
  • Set malware as default SMS app
  • Get address of the phishing page that opens when the app runs, and others

To prevent infection researchers recommend users never follow suspicious links sent via SMS, only install apps from official sources and check whatever permissions are granted during installation. 

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop