Riltok
The Riltok mobile banking Trojan has been threatening Android users around the world for over a year. While it was believed that its primary targets were located in Russia and the region, its activity from 2019 shows that it might have infected devices in France, the United Kingdom and other European countries. Nevertheless, over 90% of Android devices infected with the Riltok Trojan are still located in Russia.
Bogus Advertising Applications Used to Deliver the Riltok Trojan
One of the interesting bits about this Trojan is that its authors have opted to spread it via bogus SMS messages that urge users to take advantage of free advertising services in Russia. Of course, the SMS spam campaign has been modified slightly when it is meant to target residents of other European countries. The potential victim is asked to download what appears to be a legitimate Android application that has been disguised to look like Avito, Gumtree, Subito, Leboncoin or Youla.
Once the application has been installed, it may display a prompt asking to receive various permissions immediately as well as to be set as the default SMS app. If the user declines, the prompt will appear over and over again until the offer is accepted. If the user fails to notice the fishy behavior, and grant the permissions requested by the Riltok Trojan, the threat may contact the Command & Control server immediately.
Fake Log-In Pages Used to Harvest User’s Credentials
Recent versions of Riltok can load a fake registration page for the advertising service – of course, the victims will not be registering anywhere and, instead, they will simply provide login details to the attackers. The attackers can then use this information to check if the victim has been an identical login and password combination on other sites and services.
The Trojan can then check the phone's installed applications and see if the users have been using particular mobile banking applications. If a match is found, Riltok may try to load a phishing page the next time the user tries to open the banking application and prompt them to log in from there. As you can probably guess, doing that would provide the attackers with the login credentials for the users’ online bank account. In addition to this phishing technique, Riltok also is able to spawn a fake 'Google Play' prompt that asks the victim to enter credit card details.
To protect your phone from the Riltok Trojan, you should make sure to use a reputable anti-virus service. In addition to this, you need to pay attention to the software you download – remember that you should never install applications from untrusted sources.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.