Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New “Red Alert” Android Banking Trojan Emerges

A recently discovered Android banking Trojan features a bot and command and control panel fully written from scratch, SfyLabs has discovered.

A recently discovered Android banking Trojan features a bot and command and control panel fully written from scratch, SfyLabs has discovered.

Dubbed Red Alert 2.0, the malware has been designed and distributed over the past several months by a new threat actor, the researchers say. The threat features new code but its capabilities are similar to those of other Android banking Trojans, such as the use of overlays to steal login credentials, or the ability to intercept SMS messages and steal users’ contacts.

According to SfyLabs, the Red Alert actors have been adding new functionality to the threat to ensure it continues to be effective. The mobile malware can block and log incoming calls from banks, thus ensuring that financial firms can’t contact users of the infected Android phone to alert them regarding potential malicious activity.

The malware also uses Twitter to avoid losing bots when the command and control (C&C) server is taken offline. The researchers observed that, should the bot fail to connect to the hardcoded C&C, it would retrieve a new server from a Twitter account.

This approach isn’t new to the malware world, but has been associated mainly with Windows Trojans. In fact, SfyLabs claims that Red Alert 2.0 is the first Android banking Trojan they observed to pack such functionality. Given that more and more users perform banking operations directly from their mobile devices, it’s no surprise that miscreants switch focus to Android, the most popular mobile OS.

Should the C&C server be unavailable, a connection error is triggered. Code within the malware uses the current date combined with a salt stored in strings.xml to create a new MD5 hash. The first 16 characters of the hash are used as a Twitter handle registered by the Red Alert actors. The bot requests the Twitter page of the handle and parses the response to obtain the new C&C server address.

Unlike other Android banking Trojans that use overlays to steal login credentials, Red Alert 2.0 doesn’t receive the full list of targets from its C&C server. Keeping that list only on the server makes it more difficult to determine which banks the threat targets, but SfyLabs uncovered around 60 HTML overlays the actor is using at the moment.

Once the user launches a targeted application on an infected Android device, the malware displays an overlay page that mimics the legitimate one. However, when the user tries to log in, an error page is displayed, while the entered credentials are sent to the C&C server.

To know when to display the overlay and which fake page to show, the malware requests the topmost application periodically. On Android 5.0 and higher devices, the malware uses Android toolbox for this activity, an approach different from those used by Android Trojans such as Mazar, Exobot and BankBot, the security researchers explain.

The security researchers also discovered that the attackers can control the Trojan through commands sent directly from the C&C server. Commands include start/stop SMS interception, send SMS, set/reset default SMS, get SMS/call/contact list, set admin, launch app, send USSD, and block and notify.

Observed samples would masquerade as Flash Player updates, popular applications such as WhatsApp and Viber, Google Market update, and even Android system updates.

Related: Triada Trojan Preinstalled on Low-Cost Android Devices

Related: SpyDealer Malware Steals Private Data From Popular Android Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.