New Android Banking Trojan Red Alert 2.0 available for sale on crime forums

Researchers discovered a new Android banking Trojan, dubbed Red Alert 2.0, that is being offered for rent on many dark websites for $500 per month.

Researchers with security firm SfyLabs have discovered a new Android banking Trojan, dubbed Red Alert 2.0, that is being offered for rent on many dark websites for $500 per month.

“The last several months a new actor has been very busy developing and distributing a new Android trojan dubbed ‘Red Alert 2.0’ by the actor. The bot and panel (C&C) are fully written from scratch, while many other trojans are evolutions of leaked sources of older trojans.” reads a blog post published by SfyLabs.

The Red Alert 2.0 Android banking malware has been developed from scratch and has been offered for rent via many online hacking forums since last few months. The authors of the malware are continuously updating it, adding new features.

The Red Alert 2.0 is currently targeting over 60 banks and social media apps across the world, it works on Android 6.0 Marshmallow and previous versions.
The malware implements features that are common to many other similar threats, it is able to steal login credentials, hijack SMS messages, display an overlay on the top of legitimate apps, steal the contacts.

Researchers noticed the authors also added interesting features to Red Alert 2.0, including blocking and logging all incoming calls associated with banks and financial associations.

“Red Alert actors are regularly adding new functionality, such as blocking and logging incoming calls of banks (see image below), which could affect the process of fraud operation departments at financials that are calling users on their infected Android phone regarding potential malicious activity.” continues the post. 

This would potentially allow the Red Alert malware to intercept warnings of a compromised account to be received by the victims.

Red Alert banking trojan also leverages Twitter as backup C&C Infrastructure when the C2 server is taken offline,

“Another interesting vector is the use of Twitter to avoid losing bots when the C2 server is taken offline (NTD). When the bot fails to connect to the hardcoded C2 it will retrieve a new C2 from a Twitter account. ” continues SfyLabs researchers.

“This is something we have seen in the desktop banking malware world before, but the first time we see it happening in an Android banking trojan.”

Once installed on victim’s device, the malware remains silent waiting for the victim to open a banking or social media app, then it overlays the original app with a fake user interface.

The Red Alert 2.0 malware attempts to trick victims into providing login credentials by displaying a fake interface then informs him that the authentication failed.

“Upon opening an application that is targeted by Red Alert an overlay is shown to the user. When the user tries to log in he is greeted with an error page. The credentials themselves are then sent to the C2 server. To determine when to show the overlay and which overlay to show, the topmost application is requested periodically.” continues the post.