Connect with us

Hi, what are you looking for?


Malware & Threats

Xbot Android Trojan Steals Banking Info, Encrypts Devices

A new piece of malware targeting Android devices has been found, which exhibits multiple malicious activities, ranging from stealing banking credentials and credit card information, to encrypting files on external storage, researchers at Palo Alto Networks warn.

A new piece of malware targeting Android devices has been found, which exhibits multiple malicious activities, ranging from stealing banking credentials and credit card information, to encrypting files on external storage, researchers at Palo Alto Networks warn.

Dubbed Xbot, the Trojan was found in 22 applications and is said to be regularly updated. The malware is capable of mimicking the login pages of 7 different banks’ apps to steal user credentials, can remotely lock devices, steal SMS messages and contact information, intercept messages, and parse SMS messages from banks.

At the moment, the Trojan is targeted only at users in Russia and Australia, and can steal banking information for six major banks from the land down under. Although not widespread, the malware was implemented in a flexible architecture that allows its operators easily extend its reach to more apps and geographies, researchers at Palo Alto Networks suggest.

They also explain that Xbot was designed to use a popular attack technique called “activity hijacking,” which involves abusing some features in Android and mimicking a series of applications that are not themselves being exploited. Devices running under platform versions prior to Android 5.0 are vulnerable to the malware, since Google introduced a protection mechanism to mitigate said attack with the release of Android 5.0.

To exploit the issue, the malware monitors currently running apps via the getRunningTasks() API in Android. Should the app running in the foreground be Google Play or one of several Australian bank apps, it will pop another interface on the top of running app (an operation called “activity hijacking”) to steal user’s bank account number, password, and security tokens.

After installation, the Trojan communicates with its command and control (C&C) server and can launch phishing attacks against Google Play users or Australian bank users. The malware includes three different phishing methods, namely fake notifications, app monitoring, and hijacking app lists, in addition to activity hijacking, the researchers explained.

The Trojan can display a fake “Add payment method” notification with the Google Play logo, imitating a legitimate popup in the official storefront. While the marketplace displays the notification only if the registered user hasn’t provided credit card info, the malware will display it every time it receives the command.

Advertisement. Scroll to continue reading.

Users who click on the notification are taken to a page imitating Google Play’s actual interface for credit card information, where users are tricked into coughing up information.

The malware can display the fake Google Play webpage even without delivering the misleading notification in the first place. Moreover, researchers note that Xbot’s C&C server can remotely decide which faked app webpage to display, which means that the malware’s activity can be easily expanded to attack more applications without updating the Trojan itself.

Xbot also asks users for administrative rights and, if they are granted, it changes the phone to silent mode, resets the password to “1811blabla,” and then toggles the device screen to activate the new password. Based in a command from the C&C server, it will display a ransom webpage claiming to be Cryptolocker and will ask for a $100 PayPal cash card as ransom.

Xbot is believed to be the successor of Aulrin, an Android Trojan discovered in 2014, due to similar code structure and behavior and because resource files from the older malware are present in the newer variant as well.

The distribution mechanism is unclear at the moment, but the malware’s author is believed to be of Russian origin, mainly because earlier versions displayed a fake notification in Russian for Google Play phishing, there are Russian comments in the malware’s JavaScript code, it intercepts SMS messages from a specific bank in Russia and parse them for bank account information, and the domains it is hosted on were registered via a Russian registrar.

Some of Xbot’s capabilities affect all Android users, and researchers expect the malware to grow even more complex and to add better infection and stealth capabilities. Furthermore, the Trojan’s operators, which appear to be putting a lot of effort into improving it, are expected to expand target base to other regions around the world.

In January, FireEye warned of an Android banking Trojan called “SlemBunk,”which was targeting users of 33 financial institutions and service providers in North America, Europe and the Asia-Pacific region. Also last month, Kaspersky Lab researchers detailed the evolution of an Android piece of malware dubbed Asacub, which transformed from spyware, to backdoor, to banking Trojan.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...