New “Red Alert” Android Banking Trojan Emerges

A recently discovered Android banking Trojan features a bot and command and control panel fully written from scratch, SfyLabs has discovered.

Dubbed Red Alert 2.0, the malware has been designed and distributed over the past several months by a new threat actor, the researchers say. The threat features new code but its capabilities are similar to those of other Android banking Trojans, such as the use of overlays to steal login credentials, or the ability to intercept SMS messages and steal users’ contacts.

According to SfyLabs, the Red Alert actors have been adding new functionality to the threat to ensure it continues to be effective. The mobile malware can block and log incoming calls from banks, thus ensuring that financial firms can’t contact users of the infected Android phone to alert them regarding potential malicious activity.

The malware also uses Twitter to avoid losing bots when the command and control (C&C) server is taken offline. The researchers observed that, should the bot fail to connect to the hardcoded C&C, it would retrieve a new server from a Twitter account.

This approach isn’t new to the malware world, but has been associated mainly with Windows Trojans. In fact, SfyLabs claims that Red Alert 2.0 is the first Android banking Trojan they observed to pack such functionality. Given that more and more users perform banking operations directly from their mobile devices, it’s no surprise that miscreants switch focus to Android, the most popular mobile OS.

Should the C&C server be unavailable, a connection error is triggered. Code within the malware uses the current date combined with a salt stored in strings.xml to create a new MD5 hash. The first 16 characters of the hash are used as a Twitter handle registered by the Red Alert actors. The bot requests the Twitter page of the handle and parses the response to obtain the new C&C server address.

Unlike other Android banking Trojans that use overlays to steal login credentials, Red Alert 2.0 doesn’t receive the full list of targets from its C&C server. Keeping that list only on the server makes it more difficult to determine which banks the threat targets, but SfyLabs uncovered around 60 HTML overlays the actor is using at the moment.

Once the user launches a targeted application on an infected Android device, the malware displays an overlay page that mimics the legitimate one. However, when the user tries to log in, an error page is displayed, while the entered credentials are sent to the C&C server.

To know when to display the overlay and which fake page to show, the malware requests the topmost application periodically. On Android 5.0 and higher devices, the malware uses Android toolbox for this activity, an approach different from those used by Android Trojans such as Mazar, Exobot and BankBot, the security researchers explain.

The security researchers also discovered that the attackers can control the Trojan through commands sent directly from the C&C server. Commands include start/stop SMS interception, send SMS, set/reset default SMS, get SMS/call/contact list, set admin, launch app, send USSD, and block and notify.

Observed samples would masquerade as Flash Player updates, popular applications such as WhatsApp and Viber, Google Market update, and even Android system updates.

Related: Triada Trojan Preinstalled on Low-Cost Android Devices

Related: SpyDealer Malware Steals Private Data From Popular Android Apps