Security researchers at ThreatFabric have discovered a new strain of Android malware capable of stealing credentials from 226 applications. Dubbed Alien, it is part of a new generation of banking trojans based on the source code of rival malware Cerberus, with integrated remote-access features.
The researchers note that Alien is even more advanced than Cerberus. Trusted by 50 per cent of the leading banks in Europe, Promon SHIELD™ offers comprehensive In-App Protection, protecting your banking application against malware utilizing the Android Accessibility Service.
Alien’s Capabilities and methods
Alien is capable of performing overlay attacks, stealing SMS messages and harvesting contact lists. It can leverage its keylogger for any use, and is thus able to broaden the attack scope further than its target list.
It is also able to install, start and remove applications from infected devices. Most importantly though, it offers a notification sniffer, and a Remote Access Trojan (RAT) feature allowing threat actors to perform fraud on victims’ devices. A complete list of capabilities is detailed in ThreatFabric’s report.
The report doesn’t include details about how Alien makes its way onto users’ devices, primarily because it depends on distribution methods. “A lot of it seems distributed via phishing sites, for example malicious pages tricking the victims into downloading fake software updates or fake Corona apps”, Gaetan van Diemen, a malware analyst at ThreatFabric, told ZDNet.
Some malicious apps make it on the Play Store, but most of the time they are distributed through other channels, van Diemen said. The applications can be easily spotted, as they often require users to grant them access to an admin user or the Accessibility service.
Banking applications on Aliens’ target list
Most targets are banking applications, but Alien can also show phishing pages for social, instant messaging and cryptocurrency applications.
The target list includes applications such as Facebook, Twitter, WhatsApp, Snapchat and Gmail, and financial institutions based in Spain, Turkey, Germany, the United States, Italy, France, Poland, Australia and the United Kingdom. The report from ThreatFabric provides a complete list of targeted applications.
The Android Accessibility Service is a key part of helping the elderly and disabled use their smartphones. However, it also opens up the door for malware developers.
So, to make sure your app is secure, a piece of good advice is to protect it with advanced In-App Protection capabilities. Promon SHIELD™ protects your apps against shady malware that aims to steal sensitive user data from your apps by abusing the accessibility services.