Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide range of features that allow it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the beginning of the year and is offered as Malware-as-a-Service (MaaS) in underground hacking forums.
In a report released this week on ZDNet, ThreatFabric security researchers searched Alien forum posts and samples to understand the evolution, tricks, and capabilities of malware.
According to the researchers, Alien is not really a new piece of code, but was actually based on the source code of an adversary malware called Cerberus.
Cerberus, which was active on MaaS last year, collapsed this year, with its owner trying to sell codebase and customerbase before finally offering it for free to a hacking forum.
ThreatFabric says Cerberus died because the Google security team found a way to detect and clean infected devices. But even if Alien was based on an older version of Cerberus, it does not seem to have this problem.
And researchers say the Alien is even more advanced than the Cerberus which was a fairly reliable and dangerous trojan.
ThreatFabric reports that Alien is part of a new generation of Android banking trojans that have incorporated various features remote access at their bases.
This makes the Alien very dangerous. Alien not only can display fake login screens and collect passwords for various applications and services, but can also give access to intruders on devices to use these credentials or even perform other actions.
According to ThreatFabric, Alien currently has the following features:
- Ability to overlay content over other applications (function used in phishing for credentials)
- Inserts a keyboard input
- Provides remote access to a device after installation TeamViewer
- Collects, sends or forwards messages SMS
- Steals the contact list
- Collects device details
- Collects geographic location data
- Makes USSD requests
- Forwards calls
- Installs and launches applications
- Launches browsers to the desired pages
- Locks the screen for an ransomware type operation
- Steals 2FA codes generated by authentication applications
This is an impressive set of features. During its analysis, the researchers said they found that Alien had support for displaying fake login pages for 226 Android apps (you can see the full list in the ThreatFabric report).
Most of these fake login pages aim to steal the credentials of e-banking apps, clearly supporting ThreatFabric's assessment that Alien was intended for this type of scam.
ThreatFabric did not provide details on how Alien gets into users' devices, mainly because this varies depending on how Alien MaaS customers chose to distribute it.
Some applications that have been infected with malware can be found at Play Store, but are most often distributed through other channels.
These malicious applications can be easily detected, as they often require users to grant them access to royalties the administrator.
While this is a self-explanatory tip, we should mention it "do not install applications from strange sites and do not grant them administrator rights". It may sound simple to some, but not all users have the ability or knowledge to realize that some applications are malicious.