Faketoken was first discovered in 2012 as Android spyware targeting mobile banking users by posing as a fake token generator. The Trojan would ask the victim for his or her password and generate a fake token while it executed malicious code in the background and send the user’s information to a specified number and remote servers.

In 2014, Faketoken grew in popularity to #13 of the top 20 mobile threats of 2014. The perpetrators used social engineering to infect mobile devices. The user is prompted to download an Android application allegedly needed to conduct secure transactions, but the link instead leads to Faketoken. Once the device is infected, the attacker gains access to the victim’s bank account, harvests mobile Transaction Authentication Numbers (mTANs) and transfers the victim’s money to the attacker’s account. The Trojan affected Android-powered smartphones in 55 countries, including the United States.

In July 2016, Faketoken evolved further to become one of the few mobile banking Trojans to encrypt user data, mimicking ransomware. As of December 2016, it had infected 16,000 users in 27 countries mostly located in Russia, Ukraine, Germany, and Thailand. Once the Trojan is active, it requests administrator rights. If the user refuses, Faketoken repeatedly refreshes the window requesting these rights. Once it has obtained administrator rights, it requests permissions to access the user’s text messages, files and contacts, to send SMS texts, and to make calls. Faketoken then asks for the right to display windows on top of other applications, in order to steal user data by displaying phishing pages. Finally, it requests the right to be the default SMS application, allowing it to covertly steal text messages. Faketoken downloads an archive of file icons for several apps related to social networks, instant messengers, and browsers. It attempts to delete previous application shortcuts and replace them with new ones. Faketoken displays various phishing messages and, once the victim clicks on the link, a phishing page is displayed designed to steal passwords from Gmail accounts and bank card details from Google Play Store accounts. This version also can extort money by encrypting user files, similar to ransomware. It compiles a list of files on the device that corresponds to one of 89 extensions and encrypts them using AES, appending the files with the extension .cat. If users believe they’ve been infected with Faketoken and their files have been encrypted, please check for cloud-based copies of these files as they are likely to be unencrypted, eliminating the need to pay any ransom to regain access to these files.


  • April 2014: Faketoken banking Trojan grows rapidly. (Kaspersky Lab)
  • December 2014: Faketoken encrypts files. (SecureList)

Technical Details

  • Technical Details on the Faketoken spyware of 2012 are available from Trend Micro, here.

One example of the Faketoken variant. Image Source: Securelist