Earlier Faketoken stole banking credential but now it holds down the users data also.
The modified Faketoken can steal credentials from more than 2,000 Android financial applications, security researchers at Kaspersky Lab warn. Based on telemetry, Kaspersky Lab estimates that Faketoken has claimed over 16,000 victims in 27 countries. Users in Russia, Ukraine, Germany and Thailand have been the most heavily affected. Variants of the malware first surfaced back in July.
Researchers says -
“The newly added data-encryption capability is unusual in that most mobile ransomware focuses on blocking the device rather than the data, which is generally backed-up to the cloud,”. “In Faketoken’s case, the data – including documents and media files such as pictures and videos – is encrypted using an AES symmetric encryption algorithm that can, in some cases, be decrypted by the user without paying a ransom” - Kaspersky Lab researchers explained.Initially Faketoken ask for users permission or administrator access while infecting, to overlay the other apps, often leaving no choice to users. Faketoken threats common apps or game for infecting device.
This new variants of Faketoken also tries to replace application shortcuts for social media networks, instant messengers and browsers with its own versions. The reason for this is unclear as the substitute icons lead to the same legitimate applications. It’s probable that malicious coders have done this in order to lay the groundwork for future developments.
You can read more detailed about the new Faketoken variants on blog post of Kaspersky Lab.