Malware spreading through Europe, hijacking text messages to steal bank account and payment card information

Woburn, MA – June 25, 2019 — / — Kaspersky researchers have discovered that the money-stealing mobile malware Riltok, first observed in mid-2018, has launched new variants. The malware is extending its targeting outside of Russia, now attacking Europe by disguising itself as services popular in France, Italy and the United Kingdom.

Riltok is a banking Trojan, designed to gain access to the financial accounts and assets of their victims by stealing login credentials and hijacking online banking sessions. These Trojans often disguise themselves as legitimate web services and apps to trick the user into installing it and entering their credentials and sensitive data.

In the case of the Riltok Trojan (the name comes from ‘Real Talk’), the attack scenario generally starts with a user receiving an SMS message with a link to a fake website that closely resembles a popular website for free classified advertising. The website invites the user to install the new version of the service’s mobile app, which is, in fact, the Riltok malware. Once the malware is downloaded and receives the necessary permissions from the infected victim, it appoints itself as the default app for receiving and viewing SMS messages. This lets the attackers see all SMS messages, including confirmation codes sent through text, and allows them to send messages to other numbers for further propagation of the malware.

The main functions of the malware include:

  • Stealing payment card details by displaying a fake Google Play store app screen and asking the victim to enter their credit or debit card information. It also performs a basic check to ensure the details provided are genuine, like counting the number of digits entered for the card.
  • Stealing bank account credentials by displaying a screen that mimics a banking app, or opening a phishing page in the browser.
  • Hiding the activity and settings of other apps, such as security solutions or settings dedicated to device safety.
  • Hiding notifications from legitimate bank apps.

Kaspersky experts have detected around 4,000 users who have been targeted by this malware to date, mainly in Russia, but also in Italy, France and the UK.

“We’ve been watching how the Riltok malware is being distributed slowly but steadily across Russia, and we expect to see a rise in attacks as the cybercriminals behind this threat extend their reach to new countries and continents, starting with Europe,” said Tatyana Shishkova, security researcher at Kaspersky. “We’ve observed this scenario many times before; in our experience, once threat actors create a successful malware and test it in Russia, they adapt it for foreign victims and explore new territories. Usually such threats end up going global.”

Kaspersky products detect the threat as Trojan-Banker.AndroidOS.Riltok.

To protect yourself from financial malware, including the Riltok Trojan, Kaspersky security specialists advise:

  • Never click on suspicious links in text messages.
  • Block the installation of programs from unknown sources and install only apps from official app stores.
  • Always pay attention to the permissions that an app requests. If a permission does not seem to suit the app’s function, proceed with caution.
  • Use a robust security solution to protect you from malicious software. The free version of Kaspersky Internet Security for Android can help you avoid these kinds of threats.

Read more about Riltok Banking Trojan on

About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

Media Contact
Meghan Rimol

Source: Kaspersky




Tags: ,