Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
Riltok mobile Trojan: A banker with global reach
Riltok mobile Trojan: A banker with global reach
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 14,441
Threads: 9,518
Thanks Received: 9,035 in 7,185 posts
Thanks Given: 9,810
Joined: 12 September 18
#1
Bug  28 June 19, 05:34
Quote:
[Image: mobile-banker-riltok-1.png]

Riltok is one of numerous families of mobile banking Trojans with standard (for such malware) functions and distribution methods. Originally intended to target the Russian audience, the banker was later adapted, with minimal modifications, for the European “market.” The bulk of its victims (more than 90%) reside in Russia, with France in second place (4%). Third place is shared by Italy, Ukraine, and the United Kingdom.

We first detected members of this family back in March 2018. Like many other bankers, they were disguised as apps for popular free ad services in Russia. The malware was distributed from infected devices via SMS in the form “%USERNAME%, I’ll buy under a secure transaction. youlabuy[.]ru/7*****3” or “%USERNAME%, accept 25,000 on Youla youla-protect[.]ru/4*****7”, containing a link to download the Trojan. Other samples were also noticed, posing as a client of a ticket-finding service or as an app store for Android.

It was late 2018 when Riltok climbed onto the international stage. The cybercriminals behind it kept the same masking and distribution methods, using names and icons imitating those of popular free ad services.

In November 2018, a version of the Trojan for the English market appeared in the shape of Gumtree.apk. The SMS message with a link to a banker looked as follows: “%USERNAME%, i send you prepayment gumtree[.]cc/3*****1”.

Italian (Subito.apk) and French (Leboncoin.apk) versions appeared shortly afterwards in January 2019. The messages looked as follows:

“%USERNAME%, ti ho inviato il soldi sul subito subito-a[.]pw/6*****5” (It.)
“% USERNAME%, ti ho inviato il pagamento subitop[.]pw/4*****7” (It.)
“%USERNAME%, je vous ai envoyé un prepaiement m-leboncoin[.]top/7*****3” (Fr.)
“%USERNAME%, j’ai fait l’avance (suivi d’un lien): leboncoin-le[.]com/8*****9” (Fr.)

Let’s take a more detailed look at how this banking Trojan works.

Infection

The user receives an SMS with a malicious link pointing to a fake website simulating a popular free ad service. There, they are prompted to download a new version of the mobile app, under which guise the Trojan is hidden. To be installed, it needs the victim to allow installation of apps from unknown sources in the device settings.

During installation, Riltok asks the user for permission to use special features in AccessibilityService by displaying a fake warning:
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • silversurfer
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
K-Lite Codec Pack 18.8.5 / 18.8.9 Update
Changes in 18.8.9 ...harlan4096 — 07:13
Ubuntu 24.04.2 LTS / 25.04
Ubuntu 24.04.2 LTS...harlan4096 — 07:12
Microsoft Edge 135.0.3179.85
Version 135.0.3179...harlan4096 — 07:10
AnyDesk 7.0.0 for Linux
AnyDesk 7.0.0 for ...harlan4096 — 07:08
Intel releases AI Playground software fo...
Intel is open sour...harlan4096 — 07:07

[-]
Birthdays
Today's Birthdays
avatar (37)RobertUtelt
Upcoming Birthdays
avatar (44)wapedDow
avatar (43)techlignub
avatar (42)Stevenmam
avatar (49)onlinbah
avatar (50)steakelask
avatar (44)Termoplenka
avatar (42)bycoPaist
avatar (48)pieloKat
avatar (42)ilyagNeexy
avatar (50)donitascene
avatar (50)Toligo

[-]
Online Staff
There are no staff members currently online.

>