Don't track: Russians are attacked by a banking trojan disguised as a parcel tracker

Before the New Year, hackers began to massively distribute the Mamont mobile banking trojan under the guise of a parcel tracker, Izvestia found out. First, the buyer is lured to a phishing online store, through Telegram he makes an order at a favorable price with payment upon receipt. And to track the delivery, the person is asked to download a tracker, under which the malware lies, said Kaspersky Lab. It intercepts SMS and push notifications, with the help of which fraudsters can, for example, steal user funds via SMS-banking. How to protect yourself - in the material of "Izvestia".

How the phone is infected with a Trojan virus

Hackers have invented a new scheme for the spread of the Trojan, which became massively used in 2024. This "Izvestia" reported in "Kaspersky Lab". The malicious campaign targets Android smartphone users in Russia. The scenario consists of several stages.

Photo: IZVESTIA/Sergey Lantyukhov

First, fraudsters create websites of non-existent wholesale stores with goods at extremely attractive prices, Kaspersky Lab said. The contacts on the site include a link to a themed closed Telegram chat room. It says how to contact the manager. The chat also has positive "feedback" from users.

Bit chas: hackers steal accounts using corrupted files

Security systems fail to recognize them as malicious and users lose accounts

- When the victim contacts the fake representative of the store, she is asked to specify the name of the recipient of the order, delivery address and contact phone number, as well as the number of selected goods and their name. Payment for the order can be made ostensibly upon receipt. This is how attackers put your vigilance to sleep," Kaspersky Lab explained.

Photo: RIA Novosti/Dmitri Makeev

They continued: after some time, a person receives a message that the order has been sent. To track it, you need to download a special mobile application-tracker - on the link sent by the manager. However, in reality, it leads to a phishing resource that mimics the official app store. And under the guise of a tracker, a person downloads a mobile banking trojan - Mamont.

What are the dangers of Trojans

This trojan requests access to messages and push notifications on the infected device, which are used to steal funds via SMS banking, explained Kaspersky Lab cybersecurity expert Dmitry Kalinin. MTS Bank also confirmed this to Izvestia.

- The fake tracker download links are deliberately made long and complicated to confuse the user. If a new Trojan gets on a smartphone, the consequences can be serious: from stealing personal data and funds to connecting the device to a botnet - a network of infected devices used for cyberattacks," said Dmitry Morev, director of information security at RuStore.

Photo: Izvestia/Andrei Ershtrem

In addition to banking application login information, fraudsters can also gain access to other sensitive data - contact book, photo archive, e-mail, cryptographic keys and electronic signatures, Gazprombank warned. "Izvestia" asked other credit organizations whether they were aware of the virus spreading, as well as the Ministry of Finance and Roskomnadzor about the risks of the Mamont trojan.

The scheme of spreading the trojan through an order status tracker application is especially dangerous in the days before New Year's Eve, when people are actively buying gifts and outfits for the holiday, said Daria Verestnikova, SafeTech's commercial director. During this period, users usually have a lot of goods on a variety of marketplaces and online stores, so they can simply let their guard down and download the malware. In addition, buyers are interested in finding a more favorable offer.

How to protect your smartphone from a trojan

However, schemes with fake orders existed before that. In October 2024, fraudsters approached users from fake profiles of delivery services in messengers, recalled Igor Bederov, head of the T.Hunter Investigations Department. The profiles of such companies as SDEK, Sbermarket, Yandex Delivery or Delivery Club were most often faked.

Photo: Izvestia/Pavel Volkov

The Mamont trojan itself (in the slang of scammers - "victim") appeared back in 2019, but it was distributed under the guise of other fake utilities - applications for adults and financial organizations, added Igor Bederov. In the fall, the Interior Ministry called the "Mammoth" scheme one of the phishing trends of 2024. The media wrote that, according to experts, 16 large fraudulent groups of more than 20 thousand people are now active in Telegram.

Most likely, fraudsters will continue to transform schemes with this trojan, believes Boris Kuzmin, deputy general director for information technologies of the IT company Articul. According to his assumptions, during the New Year sales people will be offered to download an application with advertisements for various goods and services, which supposedly provides a safe purchase.

Photo: IZVESTIA/Sergei Konkov

Now schemes with Trojans are less common than social engineering scenarios, as they strongly depend on the version of the cell phone's operating system, the presence of antivirus and the phone owner's default security settings, Gazprombank noted.

Chained together: Roskomnadzor tells about the most effective fraud schemes

Teenagers and retirees are often drawn into "covert operations"

To avoid becoming a victim of fraudsters, it is necessary to follow basic security rules: do not follow suspicious links and download programs only from official sources, said Dmitry Morev from RuStore. One should be critical of generous offers on the Internet and not follow links from strangers sent via messages, messengers and e-mails, Kaspersky Lab added. You should also use an antivirus application and regularly update its databases, VTB added.