A new strain of Android malware that comes with a wide array of features has recently been analysed and discovered by security researchers. This malware strain is capable of stealing credentials from 226 applications.
This new trojan called Alien has been operational since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.
According to researchers, the code of Alien is based on the source code of a rival malware gang named Cerberus, and it’s not entirely new.
While Cerberus ran out of steam this year after being active last year, with its owner trying to sell its codebase and customer base, before eventually leaking it for free. Researchers state that Cerberus died out since Google’s security team found a way to detect and clean infected devices.
However, Alien doesn’t seem to have this problem even when it is based on an older Cerberus version and its MaaS stepped in to fill the void left by the demise of Cerberus.
It is also said that Alien is even more advanced than Cerberus and an even more perilous trojan in its own way.
Alien is part of a new generation of Android banking trojans that have also integrated remote-access features into their codebases making it a very dangerous infection to get infected with.
Not only can Alien show fake login screens and collect passwords for various apps and services, but it can also grant the hackers access to devices to use said credentials or even perform other actions.
At the current moment, Alien boasts of the following features –
· Can overlay content on top of other apps (a feature used for phishing login credentials)
· Log keyboard input
· Provide remote access to a device after installing a TeamViewer instance
· Harvest, send or forward SMS messages
· Steal contacts list
· Collect device details and app lists
· Collect geo-location data
· Make USSD requests
· Forward calls
· Install and start other apps
· Start browsers on desired pages
· Lock the screen for a ransomware-like feature
· Sniff notifications showed on the device
· Steal 2FA codes generated by authenticator apps
As most android trojans these days, these features are mostly related to fraud operations with the hackers targeting online accounts, searching for money.
Researchers also discovered that Alien had support for showing fake login pages for 226 other Android applications. Supporting their assessment that Alien was intended for fraud, these fake login pages were aimed at intercepting credentials for e-banking apps. Saying that Alien targets other applications as well like email, social, instant messaging, and cryptocurrency apps.
The banking apps targeted by Alien developers were for financial institutions based mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK.
Some malicious apps make it on the Play Store, once in a while, but most of the time, they’re distributed through other channels. As for Alien, it was not clear on how it makes its way onto users’ devices, primarily because this varies based on how the Alien MaaS customers (other criminal groups) chose to distribute it.
The applications that are tainted with the touch of Alien can be easily spotted as they often require users to grant them access to an admin user or to the Accessibility service.
Even though not all Android users are technical enough to understand it, and many users will download and install apps from any location, and then just click through all the prompts during installations, our security experts strictly advise against it.
This is the modus operandi of most of the malware in general, targeting non-technical users, and not the experts. Since a lot of people qualify in this category, Android malware is big business these days on hacking forums.
To read more, please check eScan Blog