Decrypts the config file for the Fake-TextSecure Online Banking Trojan.

Decrypt the config file of “FakeToken” / “FakeTextsecure” Online Banking Trojans.
+ The Config is blowfish encrypted
+ The Config is a XML file and contains URLs and Phonenumbers of the attacker
+ “FakeTextSecure” uses the Textsecure open source app to disguise itself

+ Python 3.x
+ Pycrypto:

Tested on Windows 8.1 and Ubuntu 14.04

– Copy blfs.key and config.cfg from /res/raw folder in APK
– run blfs.key config.cfg
– Specify an APK or a directory of APKs as an argument for -i or –input
– run python -i <APK_or_Directory> Script: Script:

Source :