# Riltok mobile Trojan: A banker with global reach

**securelist.com/mobile-banker-riltok/91374/**

Authors

[Tatyana Shishkova](https://securelist.com/author/tatyanashishkova/)

Riltok is one of numerous families of mobile banking Trojans with standard (for such
malware) functions and distribution methods. Originally intended to target the Russian
audience, the banker was later adapted, with minimal modifications, for the European
“market.” The bulk of its victims (more than 90%) reside in Russia, with France in second
place (4%). Third place is shared by Italy, Ukraine, and the United Kingdom.


-----

_Geographic spread of the Riltok banking Trojan_

[We first detected members of this family back in March 2018. Like many other bankers, they](https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/)
were disguised as apps for popular free ad services in Russia. The malware was distributed
from infected devices via SMS in the form “%USERNAME%, I’ll buy under a secure
transaction. youlabuy[.]ru/7*****3” or “%USERNAME%, accept 25,000 on Youla youlaprotect[.]ru/4*****7”, containing a link to download the Trojan. Other samples were also
noticed, posing as a client of a ticket-finding service or as an app store for Android.

It was late 2018 when Riltok climbed onto the international stage. The cybercriminals behind
it kept the same masking and distribution methods, using names and icons imitating those of
popular free ad services.

_Icons most frequently used by the Trojan: Avito, Youla, Gumtree, Leboncoin, Subito_

In November 2018, a version of the Trojan for the English market appeared in the shape of
Gumtree.apk. The SMS message with a link to a banker looked as follows:
“%USERNAME%, i send you prepayment gumtree[.]cc/3*****1”.


-----

Italian (Subito.apk) and French (Leboncoin.apk) versions appeared shortly afterwards in
January 2019. The messages looked as follows:

“%USERNAME%, ti ho inviato il soldi sul subito subito-a[.]pw/6*****5” (It.)
“% USERNAME%, ti ho inviato il pagamento subitop[.]pw/4*****7” (It.)
“%USERNAME%, je vous ai envoyé un prepaiement m-leboncoin[.]top/7*****3” (Fr.)
“%USERNAME%, j’ai fait l’avance (suivi d’un lien): leboncoin-le[.]com/8*****9” (Fr.)

Let’s take a more detailed look at how this banking Trojan works.

## Infection

The user receives an SMS with a malicious link pointing to a fake website simulating a
popular free ad service. There, they are prompted to download a new version of the mobile
app, under which guise the Trojan is hidden. To be installed, it needs the victim to allow
installation of apps from unknown sources in the device settings.

During installation, Riltok asks the user for permission to use special features in
AccessibilityService by displaying a fake warning:


-----

If the user ignores or declines the request, the window keeps opening ad infinitum. After
obtaining the desired rights, the Trojan sets itself as the default SMS app (by independently
clicking Yes in AccessibilityService), before vanishing from the device screen.


-----

_After enabling AccessibilityService, the malware sets itself as the default SMS app_

Now installed and having obtained the necessary permissions from the user, Riltok contacts
its C&C server.

In later versions, when it starts, the Trojan additionally opens a phishing site in the browser
that simulates a free ad service so as to dupe the user into entering their login credentials
and bank card details. The entered data is forwarded to the cybercriminals.


-----

_Phishing page from the French version of the Trojan_

## Communication with C&C

Riltok actively communicates with its C&C server. First off, it registers the infected device in
the administrative panel by sending a GET request to the relative address gate.php (in later
versions gating.php) with the ID (device identifier generated by the setPsuedoID function in a
pseudo-random way based on the device IMEI) and screen (shows if the device is active,
possible values are “on”, “off”, “none”) parameters.

Then, using POST requests to the relative address report.php, it sends data about the device
(IMEI, phone number, country, mobile operator, phone model, availability of root rights, OS
version), list of contacts, list of installed apps, incoming SMS, and other information. From
the server, the Trojan receives commands (for example, to send SMS) and changes in the
configuration.


-----

## Trojan anatomy

The family was named Riltok after the librealtalk-jni.so library contained in the APK file of the
Trojan. The library includes such operations as:

Get address of cybercriminal C&C server
Get configuration file with web injects from C&C, as well as default list of injects
Scan for app package names that generated AccessibilityEvent events in the list of
known banking/antivirus/other popular apps
Set malware as default SMS app
Get address of the phishing page that opens when the app runs, and others

_getStartWebUrl function – get address of phishing page_

The configuration file contains a list of injects for mobile banking apps – links to phishing
pages matching the mobile banking app used by the user. In most so-called Western
versions of the Trojan, the package names in the default configuration file are erased.


-----

_Sample configuration file of the Trojan_


-----

Through AccessibilityService, the malware monitors AccessibilityEvent events. Depending
on which app (package name) generated the event, Riltok can:

Open a fake Google Play screen requesting bank card details
Open a fake screen or phishing page in a browser (inject) mimicking the screen of the
relevant mobile banking app and requesting user/bank card details
Minimize the app (for example, antivirus applications or device security settings)

Additionally, the Trojan can hide notifications from certain banking apps.

_List of package names of apps on events from which the Trojan opens a fake Google Play window_

_(for the Russian version of the Trojan)_

_Example of Trojan screen overlapping other apps_


-----

When bank card details are entered in the fake window, Riltok performs basic validation
checks: card validity period, number checksum, CVC length, whether the number is in the
denylist sewn into the Trojan code:


-----

-----

_Examples of phishing pages imitating mobile banks_

At the time of writing, the functionality of most of the Western versions of Riltok was
somewhat pared down compared to the Russian one. For example, the default configuration
file with injects is non-operational, and the malware contains no fake built-in windows
requesting bank card details.

## Conclusion

Threats are better prevented than cured, so do not follow suspicious links in SMS, and be
sure to install apps only from official sources and check what permissions you are granting
during installation. As Riltok shows, cybercriminals can apply the same methods of infection
to victims in different countries with more or less the same success.

Kaspersky products detect the above-described threat with the verdict TrojanBanker.AndroidOS.Riltok.

## IoCs

**C&C**

100.51.100.00
108.62.118.131
172.81.134.165
172.86.120.207
185.212.128.152
185.212.128.192
185.61.000.108
185.61.138.108
185.61.138.37
188.209.52.101
5.206.225.57
alr992.date
avito-app.pw
backfround2.pw


-----

background1.xyz
blacksolider93.com
blass9g087.com
brekelter2.com
broplar3hf.xyz
buy-youla.ru
cd78cg210xy0.com
copsoiteess.com
farmatefc93.org
firstclinsop.com
holebrhuhh3.com
holebrhuhh45.com
karambga3j.net
le22999a.pw
leboncoin-bk.top
leboncoin-buy.pw
leboncoin-cz.info
leboncoin-f.pw
leboncoin-jp.info
leboncoin-kp.top
leboncoin-ny.info
leboncoin-ql.top
leboncoin-tr.info
myyoula.ru
sell-avito.ru
sell-youla.ru
sentel8ju67.com
subito-li.pw
subitop.pw
web-gumtree.com
whitehousejosh.com
whitekalgoy3.com
youlaprotect.ru

**Examples of malware**

0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98
417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa
54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe
6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745
bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a
dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811
e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049


-----

ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5
f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df

[Malware](https://securelist.com/tag/malware/)
[Malware Descriptions](https://securelist.com/tag/malware-descriptions/)
[Mobile Malware](https://securelist.com/tag/mobile-malware/)
[Trojan Banker](https://securelist.com/tag/trojan-banker/)

Authors

[Tatyana Shishkova](https://securelist.com/author/tatyanashishkova/)

Riltok mobile Trojan: A banker with global reach

Your email address will not be published. Required fields are marked *


-----