{
	"id": "3085b216-ad29-438c-a9cc-259a36f57958",
	"created_at": "2026-04-06T00:18:40.222782Z",
	"updated_at": "2026-04-10T03:21:01.855315Z",
	"deleted_at": null,
	"sha1_hash": "ec4d0568fd2bcf45d8d12cc1558c22790da6205e",
	"title": "Riltok mobile Trojan: A banker with global reach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1244969,
	"plain_text": "Riltok mobile Trojan: A banker with global reach\r\nBy Tatyana Shishkova\r\nPublished: 2019-06-25 · Archived: 2026-04-05 18:58:41 UTC\r\nRiltok is one of numerous families of mobile banking Trojans with standard (for such malware) functions and\r\ndistribution methods. Originally intended to target the Russian audience, the banker was later adapted, with\r\nminimal modifications, for the European “market.” The bulk of its victims (more than 90%) reside in Russia, with\r\nFrance in second place (4%). Third place is shared by Italy, Ukraine, and the United Kingdom.\r\nGeographic spread of the Riltok banking Trojan\r\nWe first detected members of this family back in March 2018. Like many other bankers, they were disguised as\r\napps for popular free ad services in Russia. The malware was distributed from infected devices via SMS in the\r\nform “%USERNAME%, I’ll buy under a secure transaction. youlabuy[.]ru/7*****3” or “%USERNAME%,\r\naccept 25,000 on Youla youla-protect[.]ru/4*****7”, containing a link to download the Trojan. Other samples\r\nwere also noticed, posing as a client of a ticket-finding service or as an app store for Android.\r\nIt was late 2018 when Riltok climbed onto the international stage. The cybercriminals behind it kept the same\r\nmasking and distribution methods, using names and icons imitating those of popular free ad services.\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 1 of 13\n\nIcons most frequently used by the Trojan: Avito, Youla, Gumtree, Leboncoin, Subito\r\nIn November 2018, a version of the Trojan for the English market appeared in the shape of Gumtree.apk. The\r\nSMS message with a link to a banker looked as follows: “%USERNAME%, i send you prepayment\r\ngumtree[.]cc/3*****1”.\r\nItalian (Subito.apk) and French (Leboncoin.apk) versions appeared shortly afterwards in January 2019. The\r\nmessages looked as follows:\r\n“%USERNAME%, ti ho inviato il soldi sul subito subito-a[.]pw/6*****5” (It.)\r\n“% USERNAME%, ti ho inviato il pagamento subitop[.]pw/4*****7” (It.)\r\n“%USERNAME%, je vous ai envoyé un prepaiement m-leboncoin[.]top/7*****3” (Fr.)\r\n“%USERNAME%, j’ai fait l’avance (suivi d’un lien): leboncoin-le[.]com/8*****9” (Fr.)\r\nLet’s take a more detailed look at how this banking Trojan works.\r\nInfection\r\nThe user receives an SMS with a malicious link pointing to a fake website simulating a popular free ad service.\r\nThere, they are prompted to download a new version of the mobile app, under which guise the Trojan is hidden.\r\nTo be installed, it needs the victim to allow installation of apps from unknown sources in the device settings.\r\nDuring installation, Riltok asks the user for permission to use special features in AccessibilityService by\r\ndisplaying a fake warning:\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 2 of 13\n\nIf the user ignores or declines the request, the window keeps opening ad infinitum. After obtaining the desired\r\nrights, the Trojan sets itself as the default SMS app (by independently clicking Yes in AccessibilityService), before\r\nvanishing from the device screen.\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 3 of 13\n\nAfter enabling AccessibilityService, the malware sets itself as the default SMS app\r\nNow installed and having obtained the necessary permissions from the user, Riltok contacts its C\u0026C server.\r\nIn later versions, when it starts, the Trojan additionally opens a phishing site in the browser that simulates a free\r\nad service so as to dupe the user into entering their login credentials and bank card details. The entered data is\r\nforwarded to the cybercriminals.\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 4 of 13\n\nPhishing page from the French version of the Trojan\r\nCommunication with C\u0026C\r\nRiltok actively communicates with its C\u0026C server. First off, it registers the infected device in the administrative\r\npanel by sending a GET request to the relative address gate.php (in later versions gating.php) with the ID (device\r\nidentifier generated by the setPsuedoID function in a pseudo-random way based on the device IMEI) and screen\r\n(shows if the device is active, possible values are “on”, “off”, “none”) parameters.\r\nThen, using POST requests to the relative address report.php, it sends data about the device (IMEI, phone number,\r\ncountry, mobile operator, phone model, availability of root rights, OS version), list of contacts, list of installed\r\napps, incoming SMS, and other information. From the server, the Trojan receives commands (for example, to send\r\nSMS) and changes in the configuration.\r\nTrojan anatomy\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 5 of 13\n\nThe family was named Riltok after the librealtalk-jni.so library contained in the APK file of the Trojan. The\r\nlibrary includes such operations as:\r\nGet address of cybercriminal C\u0026C server\r\nGet configuration file with web injects from C\u0026C, as well as default list of injects\r\nScan for app package names that generated AccessibilityEvent events in the list of known\r\nbanking/antivirus/other popular apps\r\nSet malware as default SMS app\r\nGet address of the phishing page that opens when the app runs, and others\r\ngetStartWebUrl function – get address of phishing page\r\nThe configuration file contains a list of injects for mobile banking apps – links to phishing pages matching the\r\nmobile banking app used by the user. In most so-called Western versions of the Trojan, the package names in the\r\ndefault configuration file are erased.\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 6 of 13\n\nSample configuration file of the Trojan\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 7 of 13\n\nThrough AccessibilityService, the malware monitors AccessibilityEvent events. Depending on which app\r\n(package name) generated the event, Riltok can:\r\nOpen a fake Google Play screen requesting bank card details\r\nOpen a fake screen or phishing page in a browser (inject) mimicking the screen of the relevant mobile\r\nbanking app and requesting user/bank card details\r\nMinimize the app (for example, antivirus applications or device security settings)\r\nAdditionally, the Trojan can hide notifications from certain banking apps.\r\nList of package names of apps on events from which the Trojan opens a fake Google Play window (for the Russian\r\nversion of the Trojan)\r\nExample of Trojan screen overlapping other apps\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 8 of 13\n\nWhen bank card details are entered in the fake window, Riltok performs basic validation checks: card validity\r\nperiod, number checksum, CVC length, whether the number is in the denylist sewn into the Trojan code:\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 9 of 13\n\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 10 of 13\n\nExamples of phishing pages imitating mobile banks\r\nAt the time of writing, the functionality of most of the Western versions of Riltok was somewhat pared down\r\ncompared to the Russian one. For example, the default configuration file with injects is non-operational, and the\r\nmalware contains no fake built-in windows requesting bank card details.\r\nConclusion\r\nThreats are better prevented than cured, so do not follow suspicious links in SMS, and be sure to install apps only\r\nfrom official sources and check what permissions you are granting during installation. As Riltok shows,\r\ncybercriminals can apply the same methods of infection to victims in different countries with more or less the\r\nsame success.\r\nKaspersky products detect the above-described threat with the verdict Trojan-Banker.AndroidOS.Riltok.\r\nIoCs\r\nC\u0026C\r\n100.51.100.00\r\n108.62.118.131\r\n172.81.134.165\r\n172.86.120.207\r\n185.212.128.152\r\n185.212.128.192\r\n185.61.000.108\r\n185.61.138.108\r\n185.61.138.37\r\n188.209.52.101\r\n5.206.225.57\r\nalr992.date\r\navito-app.pw\r\nbackfround2.pw\r\nbackground1.xyz\r\nblacksolider93.com\r\nblass9g087.com\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 11 of 13\n\nbrekelter2.com\r\nbroplar3hf.xyz\r\nbuy-youla.ru\r\ncd78cg210xy0.com\r\ncopsoiteess.com\r\nfarmatefc93.org\r\nfirstclinsop.com\r\nholebrhuhh3.com\r\nholebrhuhh45.com\r\nkarambga3j.net\r\nle22999a.pw\r\nleboncoin-bk.top\r\nleboncoin-buy.pw\r\nleboncoin-cz.info\r\nleboncoin-f.pw\r\nleboncoin-jp.info\r\nleboncoin-kp.top\r\nleboncoin-ny.info\r\nleboncoin-ql.top\r\nleboncoin-tr.info\r\nmyyoula.ru\r\nsell-avito.ru\r\nsell-youla.ru\r\nsentel8ju67.com\r\nsubito-li.pw\r\nsubitop.pw\r\nweb-gumtree.com\r\nwhitehousejosh.com\r\nwhitekalgoy3.com\r\nyoulaprotect.ru\r\nExamples of malware\r\n0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98\r\n417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa\r\n54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe\r\n6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745\r\nbbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a\r\ndc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811\r\ne3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049\r\nebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5\r\nf51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 12 of 13\n\nSource: https://securelist.com/mobile-banker-riltok/91374/\r\nhttps://securelist.com/mobile-banker-riltok/91374/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://securelist.com/mobile-banker-riltok/91374/"
	],
	"report_names": [
		"91374"
	],
	"threat_actors": [],
	"ts_created_at": 1775434720,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec4d0568fd2bcf45d8d12cc1558c22790da6205e.pdf",
		"text": "https://archive.orkl.eu/ec4d0568fd2bcf45d8d12cc1558c22790da6205e.txt",
		"img": "https://archive.orkl.eu/ec4d0568fd2bcf45d8d12cc1558c22790da6205e.jpg"
	}
}