Riltok Mobile Banking Trojan Identified by Kaspersky Lab (Jun 25, 2019)
Kaspersky Lab researchers have identified a new variant of the Riltok mobile banking trojan that has been in operation since March 2018. The actors distributing Riltok have primarily focused on targeting individuals that reside in Russia, but versions for markets in France, Italy, Ukraine, and the United Kingdom have been detected in 2019. The trojan is distributed via SMS with a malicious link pointing to a fake website that simulates an ad-free version of one of the following popular mobile apps: Avito, Youla, Gumtree, Leboncoin, or Subito. During installation of the imitated app, Riltok asks the user for permission to use special features within the AccessibilityService, which then allows Riltok to prompt users with fake payment screens requesting bank card information. Once Riltok performs basic validation on the bank card details, the information is directed back to the criminal's Command and Control (C2) server. Additionally, the trojan can hide notifications from certain banking apps installed on the device.
Recommendation: Threats are better prevented than cured. Avoid following suspicious links in SMS, and be sure to install apps only from official sources. In addition, check what permissions you are granting during the installation of any app. As Riltok shows, threat actors can apply the same methods of infection to victims in different countries with more or less the same success.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.