Tuesday, January 19, 00:53
Home security The new malware "Alien" steals passwords from 226 Android applications

The new malware "Alien" steals passwords from 226 Android applications

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide range of features that allow it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the beginning of the year and is offered as Malware-as-a-Service (MaaS) in underground hacking forums.

In a report released this week on ZDNet, ThreatFabric security researchers searched Alien forum posts and samples to understand the evolution, tricks, and capabilities of malware.

Alien Android

According to the researchers, Alien is not really a new piece of code, but was actually based on the source code of an adversary malware called Cerberus.

Cerberus, which was active on MaaS last year, collapsed this year, with its owner trying to sell codebase and customerbase before finally offering it for free to a hacking forum.

ThreatFabric says Cerberus died because the Google security team found a way to detect and clean infected devices. But even if Alien was based on an older version of Cerberus, it does not seem to have this problem.

And researchers say the Alien is even more advanced than the Cerberus which was a fairly reliable and dangerous trojan.

ThreatFabric reports that Alien is part of a new generation of Android banking trojans that have incorporated various features remote access at their bases.

This makes the Alien very dangerous. Alien not only can display fake login screens and collect passwords for various applications and services, but can also give access to intruders on devices to use these credentials or even perform other actions.

According to ThreatFabric, Alien currently has the following features:

  • Ability to overlay content over other applications (function used in phishing for credentials)
  • Inserts a keyboard input
  • Provides remote access to a device after installation TeamViewer
  • Collects, sends or forwards messages SMS
  • Steals the contact list
  • Collects device details
  • Collects geographic location data
  • Makes USSD requests
  • Forwards calls
  • Installs and launches applications
  • Launches browsers to the desired pages
  • Locks the screen for an ransomware type operation
  • Steals 2FA codes generated by authentication applications

This is an impressive set of features. During its analysis, the researchers said they found that Alien had support for displaying fake login pages for 226 Android apps (you can see the full list in the ThreatFabric report).

Most of these fake login pages aim to steal the credentials of e-banking apps, clearly supporting ThreatFabric's assessment that Alien was intended for this type of scam.

Most of the banking applications targeted were for financial institutions based mainly in Spain, Turkey, Germany, the USA, Italy, France, Poland, Australia and United Kingdom.

ThreatFabric did not provide details on how Alien gets into users' devices, mainly because this varies depending on how Alien MaaS customers chose to distribute it.

Some applications that have been infected with malware can be found at Play Store, but are most often distributed through other channels.

These malicious applications can be easily detected, as they often require users to grant them access to royalties the administrator.

While this is a self-explanatory tip, we should mention it "do not install applications from strange sites and do not grant them administrator rights". It may sound simple to some, but not all users have the ability or knowledge to realize that some applications are malicious.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehchttps://www.secnews.gr
Be the limited edition.



FCC: Extremists turn to radio equipment after banning from social media

The US government warns that extremists could turn to radio equipment to plan their future attacks, ...

Android: How to make Signal the default messaging app

Signal is a popular encrypted messaging application that focuses on privacy. It is an alternative to ...

Google Cloud: We use some SolarWinds, but we were not affected by the hack

Google Cloud CISO Phil Venables has revealed that the cloud uses software from the vendor, SolarWinds, but states that the use ...

Scotland Environment Service: ransomware continues to affect us

The Scottish Environmental Protection Agency (SEPA) has confirmed that it was hit by a ransomware attack last month and continues to face ...

Backdoors and vulnerabilities were discovered in FiberHome routers

Backdoors and other vulnerabilities have been discovered in the firmware of a popular FiberHome FTTH ONT router. FTTH ONT stands for Fiber-to-the-Home Optical Network ...

GitHub apologizes to an employee who fired! What happened;

GitHub has admitted that it was wrong to fire a Jewish official who made "anti-Nazi" comments about the Capitol riots.

By 2030 AI will replace the people of cybersecurity

Security company Trend Micro recently conducted a new survey that reveals that more than two-fifths (41%) of IT leaders believe ...

Chinese Winnti APT targets organizations in Russia and other countries!

Security researchers at Positive Technologies have uncovered a series of attacks carried out by a Chinese APT hacking team targeting organizations in Russia ...

Silicon Valley is investing a huge amount of money in India

From March to November, even when COVID-19 destroyed economies around the world, the richest man in India ...

Microsoft, Salesforce, Oracle are designing a digital vaccination passport

A Covid digital vaccination passport is being developed jointly by a team of health and technology companies, as well as governments, airlines and ...