Riltok: Mobile Banking Trojan With An International Approach

by Gracy Williams

SMiShing or SMS phishing is a form of cyber-attack where attackers send fraudulent text messages to victims that appear to be fraudulent in nature. The forged text message contains a malicious link that redirects the victim to the phishing websites in order to obtain sensitive and confidential information from the victim. One such attempt has been named as Riltok.

Originally meant to target the Russian audience, Riltok is a family of mobile banking Trojan with standard functions and distribution techniques. The Trojan family was named Riltok after the librealtalkjni.so library contained in the Trojan’s APK file.

With minimum alterations, the trojan was later deployed for the European “market.” The worst affected region is Russia with more than 90% victims, France with 4% victims which are followed by Italy, Ukraine as well as the United Kingdom. The banker Trojan was first detected in March 2018 as an application for prevalent free ad services located in Russia.

The malware is distributed from the infected devices through SMS in the form “%USERNAME%, I’ll buy under a secure transaction. youlabuy[.]ru/7*****3” or “%USERNAME%, accept 25,000 on Youla youla-protect[.]ru/4*****7”. This contains a link for downloading the Trojan.

Riltok made its international presence in late 2018 using identical masking as well as distribution methods and used names or icons to imitate prevalent free ad services. In November 2018, the Trojan appeared for English audience market disguised as Gumtree.apk. The SMS message provided a malicious link to a banker which was “%USERNAME%, i send you prepayment gumtree[.]cc/3*****1”. The version of this Trojan also appeared in Italian and French.

At the time of writing the Trojan, the functionality of most of the Western versions of Riltok was somewhat pared down compared to the Russian one. For instance, the malware does not contain fake built-in windows requesting bank card details and the default configuration file with injects is non-operational in nature.

How Does Riltok Work?

The victim acquires an SMS containing the malicious link that points at the fake website, thus imitating a prevalent free ad service. Once the victim clicks on this link, he is prompted to download a new version of the mobile application under which pretense the Trojan is concealed. Trojan can be installed only if the victim permits installing applications from unknown sources. During setup, Riltok requests for permission in order to deploy unique features in Accessibility Service by showing a fabricated warning. In case, the user disregards the request or declines it, the window remains opening infinitely. Once the Trojan obtains the permission, it distinguishes itself as the default SMS app prior to disappearing from the device screen.

The Trojan contacts its C&C server. To begin with, the malware registers the compromised device on the administrative panel by dispatching a GET request to the applicable address gate.php along with the ID and screen parameters. Subsequently, employing the POST requests to applicable address report.php, the trojan transmits data regarding the device, list of contacts, installed apps, incoming SMS as well as other information. The Trojan acquires commands from the server and modifications in the configuration.

In more advanced versions, the Trojan opens a phishing site in the browser for simulating a free ad service in order to lure the user into entering their login credentials and bank card details. Once bank card details are recorded in the bogus login window, the Trojan carries out fundamental validation checks such as card validity period, CVC length, etc. These credentials are then forwarded to the cybercriminals.

How Could Have The Trojan Be Prevented From Spreading?

  • Being cautious is an extremely important step in preventing any mishap. In case, the message seems irrelevant to your interest, avoid clicking on the link.
  • One must ensure to allow the downloads of files from trusted sources only and carefully grant permissions to an application in accordance with its requirement.
  • Taking proactive measures is extremely important since these will help in preventing your organization against threats that might be capable of destroying the entire organization. Cybersecurity awareness and training enable employees within the organization to combat such cyber-attacks. ThreatCop is a security attack simulator and awareness tool that trains employees in identifying the real-life cyber threats and take appropriate measures to prevent such an attack from spreading.

Related Posts