What Is It?

Researchers at Kaspersky have detailed their analysis of an Android banking trojan they have named Riltok, after one of the libraries which come packaged with the malicious app. Initially targeted at Russian users, it has since been found infecting devices in France, Italy, the United Kingdom and the Ukraine.

Generally, users are infected by clicking on a link in an SMS with a link claiming to be an update to one of several popular apps used for services which offer free classified advertisements. In order to install itself, the user needs to permit the installation of apps from unknown sources, something many users wouldn’t give a second thought to before allowing. Riltok malware then requests access to the special features privilege in AccessibiltyService by showing a fake pop-up message. This pop-up will redisplay itself continually until the user accepts it. After being granted this access, Riltok then makes itself the default SMS app.

More recent variants of Riltok open a phishing page on startup which appears to be a free classified advertisement service. The purpose of this is to capture login credentials and payment card details. Mirroring the functionality of banking trojans on other platforms, Riltok uses a configuration file containing a list of changes to make to banking websites and banking apps. These changes can include displaying a fake Google Play window asking for payment card details, displaying a fake login page for banking apps or banking websites – done to obtain user’s login credentials. Riltok can also hide screens and pop-ups from anti-virus applications or warnings about device security settings.

Though it exhibits no particularly unique functionality, Riltok is a good reminder of the potential impact of a user thinking nothing of clicking on a link, followed by selecting OK on a couple of pop-ups. Those simple actions provide Riltok all the access it needs to potentially provide attackers with all of the user’s financial information and access to their funds.

How Does It Propagate?

The malware propagates via malicious SMS messages it sends from infected devices. The message claims to be a link to accept an incoming payment, however it results in the trojan being downloaded.

When/How Did BluVector Detect It?

Nine samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected for an average of 37 months prior to their release. Note: BluVector would only detect the malware if the Android device was connected to a corporate network monitored by BluVector.