The Riltok banking trojan, originally intended to target Russians, has, after a few modifications, set its sights on the European market.
The malware has more recently diverted four percent of its traffic to France and even smaller percentages to Italy, Ukraine and the U.K., although 90 percent of its victims in Russia, according to a June 25 Kaspersky blog post.
Riltok is distributed from infected devices via SMS, disguised as apps for popular free ad services in Russia. Victims typically receive an SMS containing a malicious link pointing to a fake website that appears to be a popular free ad service.
They are then prompted to download a “new version” of the mobile app, which is actually the trojan. To install the phony app, a victim must permit the installation of apps from unknown sources in the device settings.
Riltok asks the user for permission to use special features in AccessibilityService and if the user ignores or declines the request, the window keeps opening ad infinitum.
Once the malware has obtained the desired rights, the trojan sets itself as the default SMS app (by independently clicking Yes in AccessibilityService) before vanishing from the device screen.
Once a device is infected, the malware actively communicates with its Command and Control servers and receives various commands.
Researchers noted the malware sends data about the device including the IMEI, phone number, country, mobile operator, phone model, availability of root rights, OS version, list of contacts, list of installed apps and incoming SMS.