A family of banking trojans for Android has spread beyond Russia, a region it normally targeted. Riltok operates in an aggressive way to replace the default SMS app and deploy phishing screens on compromised devices. Researchers from Kaspersky analyzed how the banker works and monitor distribution across the globe. The malware collects data about the devices, including the phone number, country, mobile carrier, device model, root rights, and the Android version, and all short text messages are delivered to the C2.
Source: https://www.bleepingcomputer.com/news/security/riltok-android-banker-takes-over-sms-app-spawns-phishing-screens/