Alien Android banking Trojan, the powerful successor of the Cerberus malware

4 years ago 486
BOOK THIS SPACE FOR AD
ARTICLE AD

Security researchers spotted a new strain of Android malware, dubbed Alien, that implements multiple features allowing it to steal credentials from 226 apps.

Researchers from ThreatFabric have discovered and analyzed a new strain of Android malware, tracked as Alien, that implements multiple features allowing it to steal credentials from 226 applications.

Alien first appeared in the threat landscape early this year, its model of sale is Malware-as-a-Service (MaaS) and is advertised on several underground hacking forums.

According to researchers, Alien borrows portions of the source code from the Cerberus malware.

ThreatFabric pointed out that Cerberus operators attempted to sell their project because several issues in the malware remained unsolved for a long time due to shortcomings of the development team in the criminal gang. The delay in addressing the problems allowed Google Play Protect to detect the threat on all infected devices.

Alien is not affected by the same issues and this is the reason of the success of its MaaS model

Alien is considered a next-generation banking trojan that also implements remote-access features into their codebases.

The list of features implemented in Alien is:

Overlaying: Dynamic (Local injects obtained from C2)KeyloggingRemote accessSMS harvesting: SMS listingSMS harvesting: SMS forwardingDevice info collectionContact list collectionApplication listingLocation collectionOverlaying: Targets list updateSMS: SendingCalls: USSD request makingCalls: Call forwardingRemote actions: App installingRemote actions: App startingRemote actions: App removalRemote actions: Showing arbitrary web pagesRemote actions: Screen-lockingNotifications: Push notificationsC2 Resilience: Auxiliary C2 listSelf-protection: Hiding the App iconSelf-protection: Preventing removalSelf-protection: Emulation-detectionArchitecture: Modular

This banking Trojan is an optimal choice for crooks behind multiple fraudulent operations.

Experts discovered that Alien is able to show fake login pages for 226 other Android applications that allow its operators to intercept credentials.

“In the case of Alien, advanced features such as the authenticator-code stealer and notifications-sniffer aside, the features of the Trojan are quite common. As for many Trojans, the target list can be extended dynamically by the renter and applied to all bots enrolled to the botnet. The targeted applications in the appendix of the article are the concatenated list of targets observed in samples found in the wild, growing to over 226 targeted applications so far.” reads the report published by the researchers.

“Although it is hard to predict the next steps of the Alien authors, it would be logical for them to improve the RAT, which is currently based on TeamViewer (and therefore visible when installed and executed on the device).”

Alien is also able to target other apps including Gmail, Facebook, Telegram, Twitter, Snapchat, WhatsApp, as well as cryptocurrency apps

Experts reported that most of the apps targeted by Alien were used by financial institutions mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK.

Additional technical details, including Indicators of Compromise (IoCs) are included in the report published by ThreatFabric.

Pierluigi Paganini

(SecurityAffairs – hacking, Banking Trojan)

Read Entire Article