FakeBank is an Android Trojan first discovered in 2013 that opens a backdoor and steals information from the compromised device. The Trojan loads onto the victim's device masquerading as a Google Play Store application and requests unnecessary permissions, including:
- write to external storage devices,
- mount and unmount file systems for removable storage,
- monitor, read, and send SMS messages,
- install shortcuts,
- open network connections, and
- read contact data.
Once installed, FakeBank checks to see if certain online banking applications are installed. If any are discovered, the Trojan deletes the legitimate app and installs a malicious version. In March of this year, FakeBank was updated to include the additional function of call-barring, preventing victims from using their infected devices to cancel payment cards and alert their banks about possible fraud. The Trojan registers a BroadcastReceiver component that alerts every time the victim attempts an outgoing call. If the number belongs to one a known phone number of a bank's customer service center, the malware cancels the call. Currently, the call-barring feature of FakeBank only impacts customers of Russian and South Korean banks.
- November 2016: FakeBank is spreading on Android devices disguised as a one-time password generator app used for banking applications. Perpetrators can steal victim’s banking credentials and take over their phones by installing the TeamViewer QuickSupport app. (Neurogadget)
- November 2016: The Trojan use a mechanism to bypass Android’s Doze function — a whitelist of applications permitted to function int he phone’s background when the device is in sleep mode — in order to stay connected to its command and control (C2) servers and continue its malicious activities. (BleepingComputer)
- July 2016: Call-barring functionality added. (Symantec)
- Symantec provides technical details on the FakeBank Trojan, available here.