Home / / New variants of Russian mobile Banking Trojan Riltok spreading globally

New variants of Russian mobile Banking Trojan Riltok spreading globally

Kaspersky researchers have discovered that the money-stealing mobile malware, Riltok has launched new variants and is extending its targeting from Russia to the rest of the world.

New variants of Russian mobile Banking Trojan Riltok spreading globally

First observered mid last year, Riltok is a Banking Trojan.


These represent a dangerous threat to smartphone users because they are designed to gain access to the financial accounts and assets of their victims, primarily by stealing login credentials and hijacking online banking sessions. Trojans often disguise themselves as legitimate web services and apps to trick the user into installing it and entering their credentials and sensitive data.

In the case of the Riltok Trojan (the name comes from ‘Real Talk'), the attack scenario generally starts with a user receiving an SMS-message with a link to a fake website that closely resembles a popular website for free classified advertising.

The website invites the user to install the new version of the service's mobile app, which is, in fact, the Riltok malware. Once the malware is downloaded and receives the necessary permissions from the infected victim, it appoints itself the default app for receiving and viewing SMS.

This lets the attackers see all SMS-messages, including confirmation codes for bankcard operations, and also to send SMS to other numbers for onward propagation.

The main functions of the malware include:

Stealing bankcard credentials by displaying a fake Google Play store app screen and asking the victim to enter their payment card information. It also performs a basic check to ensure the provided details are genuine, like counting the number of digits entered for the card.

Stealing bank account credentials by displaying a screen that mimics a banking app, or opening a phishing page in the browser

Hiding other apps activity and settings, such as security solutions or settings dedicated to device safety

Hiding notifications from legitimate bank apps.

Kaspersky experts have detected around 4,000 users hit by this malware to date, mainly in Russia, but also in Italy, France and the UK. 

"We've been watching how the Riltok malware is being distributed slowly but steadily across Russia and we expect to see a rise in attacks as the cybercriminals behind this threat extend their reach to new countries and continents, starting with Europe. We've observed this scenario many times before; in our experience, once threat actors create a successful malware and test it in Russia, they adapt it for foreign victims and explore new territories. Usually such threats end up going global," - said Tatyana Shishkova, security researcher at Kaspersky.

Kaspersky products detect the threat as Trojan-Banker.AndroidOS.Riltok.

To protect yourself from financial malware, including the Riltok Trojan, security specialists advise:

Never click on suspicious links in SMS.

Block the installation of programs from unknown sources and install only apps from official app stores.

Always pay attention to permissions that an app requests. If the permission does not suit the app's function, yet needs to be turned on, better not use the app.

Use a robust security solution to protect you from malicious software and its actions.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.