Riltok Trojan horse. Main targets - Russia and the whole Europe

After targeting Russia, Riltok switches its direction to France

Riltok Trojan horse spreads via misleading SMS messages and starts hitting Europe

Recently, reports about a notorious banking Trojan horse, called Riltok, have reached the surface. Various sources have been informing people that the threat changed its main target from Russia to Europe, however, around 90% of victims still remain in this country.

Now, Riltok trojan seems to be planting its roots in some European countries, such as The United Kingdom, Italy, France, and Ukraine. After a big number of infections in Russia, the second place (4%) goes to France. Family of Riltok malware was first discovered at the start of 2018.^[1]

Cybersecurity experts have discovered that hackers who aimed to start the distribution of Riltok trojan used stealth tactics to give a non-harmful look for various infected ad-based services and applications that have been planted in the Android mobile app store.^[2] Talking about the end of 2018, the malware was targetting English-speaking people through this type of SMS text and tricking them to press on the malicious hyperlink:

%USERNAME%, i send you prepayment gumtree[.]cc/3*****1

Gaining permission to AccessibilityService allows Riltok to plant itself on the targeted device

If potential victims get tricked by suspicious SMS messages that are provided by the crooks and aim to click the infectious hyperlink that is added to the text or install a malicious version of some type of mobile phone application, users will supposedly end up with Riltok trojan on their device. The fun begins here.

The first thing that Riltok does is urges for permission to use specific features such as AccessibilityService.^[3] However, denying such request is not that easy as you will keep receiving a regular ad flow if you do not give access to this service. If everything goes as planned, Riltok trojan places itself as the main SMS application and starts performing communication through the C&C server.^[4]

Specific commands that are received from this remote server allow Riltok malware to execute malicious actions on the infected device. Nevertheless, this Trojan horse gains access to sensitive system details such as the mobile phone number, IMEI,^[5] residence country, model of the device, OS type, contact menu, SMS received, and many more.

Checking all SMS messages carefully is a crucial step to avoid malware such as Riltok

Trojan horses such as Riltok can perform numerous hazardous activities at once which can bring big losses to users in the monetary field and also relate to identity theft if any personal information about the user is gathered from the device. Besides, experts have investigated that the threat is capable of identifying the crook's C&C server address, searching for banking and anti-malware apps, saving malicious website URLs, etc.

The best way to protect yourself from malware such as Riltok trojan is to stay cautious while working with your mobile phone device. Try not to enter any applications or hyperlinks that carry a questionable look. Furthermore, do not follow any commands from SMS messages to open particular links or download some software as original products are safely distributed ONLY on their original websites or app stores.

Note that, if Riltok trojan redirects you to a particular payment website that displays a window which urges for your credit card information such as the card number, expiration date, and CVV code, NEVER enter such details into these questionable-looking locations. This way criminals can swindle all of the money from your bank account and you will be left with a complete 0.