Alien Android banking Trojan, the powerful successor of the Cerberus malware

Security researchers spotted a new strain of Android malware, dubbed Alien, that implements multiple features allowing it to steal credentials from 226 apps.

Researchers from ThreatFabric have discovered and analyzed a new strain of Android malware, tracked as Alien, that implements multiple features allowing it to steal credentials from 226 applications.

Alien first appeared in the threat landscape early this year, its model of sale is Malware-as-a-Service (MaaS) and is advertised on several underground hacking forums.

According to researchers, Alien borrows portions of the source code from the Cerberus malware.

ThreatFabric pointed out that Cerberus operators attempted to sell their project because several issues in the malware remained unsolved for a long time due to shortcomings of the development team in the criminal gang. The delay in addressing the problems allowed Google Play Protect to detect the threat on all infected devices.

Alien is not affected by the same issues and this is the reason of the success of its MaaS model

Alien is considered a next-generation banking trojan that also implements remote-access features into their codebases.

The list of features implemented in Alien is:

• Overlaying: Dynamic (Local injects obtained from C2)
• Keylogging
• Remote access
• SMS harvesting: SMS listing
• SMS harvesting: SMS forwarding
• Device info collection
• Contact list collection
• Application listing
• Location collection
• Overlaying: Targets list update
• SMS: Sending
• Calls: USSD request making
• Calls: Call forwarding
• Remote actions: App installing
• Remote actions: App starting
• Remote actions: App removal
• Remote actions: Showing arbitrary web pages
• Remote actions: Screen-locking
• Notifications: Push notifications
• C2 Resilience: Auxiliary C2 list
• Self-protection: Hiding the App icon
• Self-protection: Preventing removal
• Self-protection: Emulation-detection
• Architecture: Modular

This banking Trojan is an optimal choice for crooks behind multiple fraudulent operations.

Experts discovered that Alien is able to show fake login pages for 226 other Android applications that allow its operators to intercept credentials.

“In the case of Alien, advanced features such as the authenticator-code stealer and notifications-sniffer aside, the features of the Trojan are quite common. As for many Trojans, the target list can be extended dynamically by the renter and applied to all bots enrolled to the botnet. The targeted applications in the appendix of the article are the concatenated list of targets observed in samples found in the wild, growing to over 226 targeted applications so far.” reads the report published by the researchers.

“Although it is hard to predict the next steps of the Alien authors, it would be logical for them to improve the RAT, which is currently based on TeamViewer (and therefore visible when installed and executed on the device).”

Alien is also able to target other apps including Gmail, Facebook, Telegram, Twitter, Snapchat, WhatsApp, as well as cryptocurrency apps

Experts reported that most of the apps targeted by Alien were used by financial institutions mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK.

Additional technical details, including Indicators of Compromise (IoCs) are included in the report published by ThreatFabric.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Banking Trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]