Posts: 16,113
Threads: 10,248
Thanks Received: 9,329 in 7,475 posts
Thanks Given: 10,286
Joined: 12 September 18
28 June 19, 05:34
Quote:
Riltok is one of numerous families of mobile banking Trojans with standard (for such malware) functions and distribution methods. Originally intended to target the Russian audience, the banker was later adapted, with minimal modifications, for the European “market.” The bulk of its victims (more than 90%) reside in Russia, with France in second place (4%). Third place is shared by Italy, Ukraine, and the United Kingdom.
We first detected members of this family back in March 2018. Like many other bankers, they were disguised as apps for popular free ad services in Russia. The malware was distributed from infected devices via SMS in the form “%USERNAME%, I’ll buy under a secure transaction. youlabuy[.]ru/7*****3” or “%USERNAME%, accept 25,000 on Youla youla-protect[.]ru/4*****7”, containing a link to download the Trojan. Other samples were also noticed, posing as a client of a ticket-finding service or as an app store for Android.
It was late 2018 when Riltok climbed onto the international stage. The cybercriminals behind it kept the same masking and distribution methods, using names and icons imitating those of popular free ad services.
In November 2018, a version of the Trojan for the English market appeared in the shape of Gumtree.apk. The SMS message with a link to a banker looked as follows: “%USERNAME%, i send you prepayment gumtree[.]cc/3*****1”.
Italian (Subito.apk) and French (Leboncoin.apk) versions appeared shortly afterwards in January 2019. The messages looked as follows:
“%USERNAME%, ti ho inviato il soldi sul subito subito-a[.]pw/6*****5” (It.)
“% USERNAME%, ti ho inviato il pagamento subitop[.]pw/4*****7” (It.)
“%USERNAME%, je vous ai envoyé un prepaiement m-leboncoin[.]top/7*****3” (Fr.)
“%USERNAME%, j’ai fait l’avance (suivi d’un lien): leboncoin-le[.]com/8*****9” (Fr.)
Let’s take a more detailed look at how this banking Trojan works.
Infection
The user receives an SMS with a malicious link pointing to a fake website simulating a popular free ad service. There, they are prompted to download a new version of the mobile app, under which guise the Trojan is hidden. To be installed, it needs the victim to allow installation of apps from unknown sources in the device settings.
During installation, Riltok asks the user for permission to use special features in AccessibilityService by displaying a fake warning:
Continue Reading
Riltok mobile Trojan: A banker with global reach
![[Image: mobile-banker-riltok-1.png]](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/06/24124110/mobile-banker-riltok-1.png)
![[-]](https://www.geeks.fyi/images/collapse.png)
