Xbot Android Trojan Steals Banking Info, Encrypts Devices

A new piece of malware targeting Android devices has been found, which exhibits multiple malicious activities, ranging from stealing banking credentials and credit card information, to encrypting files on external storage, researchers at Palo Alto Networks warn.

Dubbed Xbot, the Trojan was found in 22 applications and is said to be regularly updated. The malware is capable of mimicking the login pages of 7 different banks’ apps to steal user credentials, can remotely lock devices, steal SMS messages and contact information, intercept messages, and parse SMS messages from banks.

At the moment, the Trojan is targeted only at users in Russia and Australia, and can steal banking information for six major banks from the land down under. Although not widespread, the malware was implemented in a flexible architecture that allows its operators easily extend its reach to more apps and geographies, researchers at Palo Alto Networks suggest.

They also explain that Xbot was designed to use a popular attack technique called “activity hijacking,” which involves abusing some features in Android and mimicking a series of applications that are not themselves being exploited. Devices running under platform versions prior to Android 5.0 are vulnerable to the malware, since Google introduced a protection mechanism to mitigate said attack with the release of Android 5.0.

To exploit the issue, the malware monitors currently running apps via the getRunningTasks() API in Android. Should the app running in the foreground be Google Play or one of several Australian bank apps, it will pop another interface on the top of running app (an operation called “activity hijacking”) to steal user’s bank account number, password, and security tokens.

After installation, the Trojan communicates with its command and control (C&C) server and can launch phishing attacks against Google Play users or Australian bank users. The malware includes three different phishing methods, namely fake notifications, app monitoring, and hijacking app lists, in addition to activity hijacking, the researchers explained.

The Trojan can display a fake “Add payment method” notification with the Google Play logo, imitating a legitimate popup in the official storefront. While the marketplace displays the notification only if the registered user hasn’t provided credit card info, the malware will display it every time it receives the command.

Users who click on the notification are taken to a page imitating Google Play’s actual interface for credit card information, where users are tricked into coughing up information.

The malware can display the fake Google Play webpage even without delivering the misleading notification in the first place. Moreover, researchers note that Xbot’s C&C server can remotely decide which faked app webpage to display, which means that the malware’s activity can be easily expanded to attack more applications without updating the Trojan itself.

Xbot also asks users for administrative rights and, if they are granted, it changes the phone to silent mode, resets the password to “1811blabla,” and then toggles the device screen to activate the new password. Based in a command from the C&C server, it will display a ransom webpage claiming to be Cryptolocker and will ask for a $100 PayPal cash card as ransom.

Xbot is believed to be the successor of Aulrin, an Android Trojan discovered in 2014, due to similar code structure and behavior and because resource files from the older malware are present in the newer variant as well.

The distribution mechanism is unclear at the moment, but the malware’s author is believed to be of Russian origin, mainly because earlier versions displayed a fake notification in Russian for Google Play phishing, there are Russian comments in the malware’s JavaScript code, it intercepts SMS messages from a specific bank in Russia and parse them for bank account information, and the domains it is hosted on were registered via a Russian registrar.

Some of Xbot’s capabilities affect all Android users, and researchers expect the malware to grow even more complex and to add better infection and stealth capabilities. Furthermore, the Trojan’s operators, which appear to be putting a lot of effort into improving it, are expected to expand target base to other regions around the world.

In January, FireEye warned of an Android banking Trojan called “SlemBunk,”which was targeting users of 33 financial institutions and service providers in North America, Europe and the Asia-Pacific region. Also last month, Kaspersky Lab researchers detailed the evolution of an Android piece of malware dubbed Asacub, which transformed from spyware, to backdoor, to banking Trojan.