Russian mobile banking trojan, Riltok has spread its wings and is now targeting users around the world. The news comes from Kaspersky which claims that the attacks on other countries is linked to new variants of the malware. The first countries that Riltok is targeting are France, Italy, the United Kingdom and, Russian hackers favourite target, Ukraine.
According to Tatyana Shishkova, security researcher at Kaspersky: “We’ve been watching how the Riltok malware is being distributed slowly but steadily across Russia and we expect to see a rise in attacks as the cybercriminals behind this threat extend their reach to new countries and continents, starting with Europe.
“We’ve observed this scenario many times before; in our experience, once threat actors create a successful malware and test it in Russia, they adapt it for foreign victims and explore new territories. Usually such threats end up going global.”
What is Riltok?
Riltok is a banking trojan. It targets Android smartphones and is spread via SMS. The SMS directs the user to a fake website that pretends to be one of several popular free services. Among the sites Kaspersky has seen it use are Gumtree, Avito, Leboncoin and Subito.
In the Russian version Shishkova claims that the malware sets itself as a default app to receive and view SMS. This allows it to intercept and block verification messages when payments are set up or card details changed.
To steal user data, the app uses a range of fake screens that mimic apps. This includes Google Play and several banking apps. It also uses a range of phishing pages through the browser. These request users verify or update banking data. Riltok even verifies that the card details and CVV are valid.
In the European versions that Shishkova has seen, the malware is much more limited. It does not have the fake screens to request bank card details. One reason may be that this version is incomplete. Another may be that it is more focused on Russian ex-pats. In the case of Ukraine, it could be that this is more about gathering user data for other attacks than directly attacking users bank accounts at this early stage
Enterprise Times: What does this mean
Banking trojans are a core malware for many cybercrime groups. It gives them access to cash and, importantly, verifiable data on users. That data can then be used in other phishing attacks and used to verify data stolen through breaches.
It will be interesting to see how quickly Kaspersky sees Riltok evolving into a more effective non-Russian piece of malware.