Faketoken, the Android ransomware banker that encrypted files

Pierluigi Paganini December 20, 2016

The banker Android ransomware Faketoken that steals financial information and sensitive data now also implements file-encrypting abilities.

Security experts from Kaspersky Lab have spotted a strain of known Android malware that now implements also ransomware-like abilities. According to the researchers, Vxers are adding file-encrypting capabilities to traditional mobile banking trojans, the result is a malware that is able both to steal sensitive data and lock user files on the phone’s SD card.

This malware with hybrid capabilities is also called ransomware banker.The ransomware functionality in mobile banking Trojans is considered an exception, the Svpeng malware discovered in 2014 is one of the first malware with this ability. The modern mobile ransomware doesn’t limit their actions to block the screen, but it also encrypts user files.The trojan discovered by Kaspersky is dubbed Faketoken, the name suggests its primary feature is to steal login credentials by generating fake login screens for more than 2,000 financial applications. Faketoken is also able to steal credit card information by displaying victims displays phishing pages.

Faketoken phishing page

Researchers noticed that file-encrypting capabilities were implemented in Faketoken since July and have since released thousands of versions that include new features.

“We have managed to detect several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016.” reads a blog post published by Kaspersky.

Trojan-Banker.AndroidOS.Faketoken is distributed under the guise of various programs and games, often imitating Adobe Flash Player.”

The researchers confirmed the number of the victims exceeds 16,000 users, they observed infections in 27 countries, mostly in Russia, Ukraine, Germany, and Thailand.

Faketoken uses an AES symmetric encryption algorithm to encrypt the files, this is a good news for the victims that have a chance of decrypting them without paying a ransom.

“The Trojan receives the encryption key and the initialization vector from the C&C server. The encrypted files include both media files (pictures, music, videos) and documents. The Trojan changes the extension of the encrypted files to .cat.” continues the analysis.

The researchers highlighted the fact that file encryptions are not popular with the mobile malware developers because most files stored on a mobile device are usually copied to the cloud.

For more in on Faketoken give a look at the technical analysis published by Kaspersky.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Faketoken, ransomware banker)

[adrotate banner=”13″]

Cybercrime Faketoken malware mobile ransomware ransomware banker

Pierluigi Paganini July 08, 2025

IT Worker arrested for selling access in $100M PIX cyber heist

Pierluigi Paganini July 07, 2025