Skip to main content

Woburn, MA – August 17, 2017 - Kaspersky Lab researchers have discovered a new modification of the well-known mobile banking Trojan, Faketoken, which is now able to steal credentials from popular taxi applications. Based on the results of Kaspersky Lab’s research, cybercriminals are targeting the most popular international taxi and ride-sharing services with this malware.

More and more mobile app services are storing confidential financial data, including taxi services and ride-sharing apps that require the user’s bank card information. These apps are installed on millions of Android devices worldwide, making them attractive targets for cybercriminals, who have significantly extended the functionality of mobile banking malware.

The new version of Faketoken performs live tracking of apps, and when a user runs a specified app, the Trojan overlays it with a phishing window to steal the victim’s bank card details. Faketoken has an identical interface, with the same color schemes and logos, which creates an instant and completely invisible overlay.

In addition, the Trojan steals all incoming SMS messages by redirecting them to its command and control servers, allowing criminals access to one-time verification passwords sent by a bank, or other messages sent by taxi and ride-sharing services. This Faketoken modification can also monitor users’ calls, record them, and transmit the data to the command and control servers.

Overlaying is a common function enabled in many mobile applications. Last year, Kaspersky Lab reported a modification of Faketoken that was attacking more than 2,000 financial apps around the world by disguising itself as various programs and games, often imitating Adobe Flash Player. Since then, Faketoken has been developed further, and has expanded the geography of its activities.

“The fact that cybercriminals have expanded their activities from financial applications to other areas, including taxi and ride-sharing services, means that the developers of these services may want to start paying more attention to the protection of their users,” said Viktor Chebyshev, security expert at Kaspersky Lab. “The banking industry is familiar with fraud schemes, and its solution of implementing security technologies in apps has significantly reduced the risk of theft of critical financial data. Perhaps now it is time for other services that are working with financial data to follow suit. The new version of Faketoken targets mostly Russian users; however, the geography of attacks could easily be extended, like we have seen with previous versions of Faketoken.”

Researchers have also detected Faketoken attacks on other popular mobile applications, such as travel and hotel booking apps, apps for traffic fine payments, Android Pay and the Google Play Market.

To protect yourself against the Faketoken Trojan and other Android malware threats, Kaspersky Lab strongly recommends that consumers do not install apps from unknown sources and to use a reliable security solution, such as Kaspersky Mobile Antivirus: Web Security & Applock on their device.

Read more about the new version of Faketoken Android malware on

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact
Sarah Kitsos

New Version of Faketoken Android Trojan Hunts for Taxi and Ride-Sharing App Users

Woburn, MA – August 17, 2017 - Kaspersky Lab researchers have discovered a new modification of the well-known mobile banking Trojan, Faketoken, which is now able to steal credentials from popular taxi applications.
Kaspersky Logo