Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New “Red Alert” Android Banking Trojan Emerges

A recently discovered Android banking Trojan features a bot and command and control panel fully written from scratch, SfyLabs has discovered.

A recently discovered Android banking Trojan features a bot and command and control panel fully written from scratch, SfyLabs has discovered.

Dubbed Red Alert 2.0, the malware has been designed and distributed over the past several months by a new threat actor, the researchers say. The threat features new code but its capabilities are similar to those of other Android banking Trojans, such as the use of overlays to steal login credentials, or the ability to intercept SMS messages and steal users’ contacts.

According to SfyLabs, the Red Alert actors have been adding new functionality to the threat to ensure it continues to be effective. The mobile malware can block and log incoming calls from banks, thus ensuring that financial firms can’t contact users of the infected Android phone to alert them regarding potential malicious activity.

The malware also uses Twitter to avoid losing bots when the command and control (C&C) server is taken offline. The researchers observed that, should the bot fail to connect to the hardcoded C&C, it would retrieve a new server from a Twitter account.

This approach isn’t new to the malware world, but has been associated mainly with Windows Trojans. In fact, SfyLabs claims that Red Alert 2.0 is the first Android banking Trojan they observed to pack such functionality. Given that more and more users perform banking operations directly from their mobile devices, it’s no surprise that miscreants switch focus to Android, the most popular mobile OS.

Should the C&C server be unavailable, a connection error is triggered. Code within the malware uses the current date combined with a salt stored in strings.xml to create a new MD5 hash. The first 16 characters of the hash are used as a Twitter handle registered by the Red Alert actors. The bot requests the Twitter page of the handle and parses the response to obtain the new C&C server address.

Unlike other Android banking Trojans that use overlays to steal login credentials, Red Alert 2.0 doesn’t receive the full list of targets from its C&C server. Keeping that list only on the server makes it more difficult to determine which banks the threat targets, but SfyLabs uncovered around 60 HTML overlays the actor is using at the moment.

Once the user launches a targeted application on an infected Android device, the malware displays an overlay page that mimics the legitimate one. However, when the user tries to log in, an error page is displayed, while the entered credentials are sent to the C&C server.

Advertisement. Scroll to continue reading.

To know when to display the overlay and which fake page to show, the malware requests the topmost application periodically. On Android 5.0 and higher devices, the malware uses Android toolbox for this activity, an approach different from those used by Android Trojans such as Mazar, Exobot and BankBot, the security researchers explain.

The security researchers also discovered that the attackers can control the Trojan through commands sent directly from the C&C server. Commands include start/stop SMS interception, send SMS, set/reset default SMS, get SMS/call/contact list, set admin, launch app, send USSD, and block and notify.

Observed samples would masquerade as Flash Player updates, popular applications such as WhatsApp and Viber, Google Market update, and even Android system updates.

Related: Triada Trojan Preinstalled on Low-Cost Android Devices

Related: SpyDealer Malware Steals Private Data From Popular Android Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.