Not an actual little green man mind you; but a newly discovered banking trojan called Alien.
This malware, which targets android devices, uses its advanced feature to bypass 2FA and steal users credentials with relative ease.
Once it has infected a device, Alien aims to steal passwords from over 200 mobile applications including big hitters in the banking app word (Bank of America and Capital One) and instant messaging apps like Telegram.
As tradition recently the malware appeared first on a underground forum advertised as a Malware as a service, and since then it has been used to target institutions worldwide, including Australia, France, Germany, Italy, Poland, Spain, Turkey, the U.K. and the United States.
Having looked for its origins, researchers believe Alien is a “fork” of the infamous Cerberus banking malware, which has undergone a steady demise in use over the past year.
Alien malware: capabilities
The researchers at threatfabric pointed out that Alien malware is a rented banking Trojan which offers more than the average capabilities of “normal” Android banking Trojans.
It has common capabilities such as overlay attacks, control and steal SMS messages and harvest the contact list. It can leverage its keylogger for any use and therefore broaden the attack scope further than its target list. It also offers the possibility to install, start and remove applications from the infected device.
Most importantly, it offers a notifications sniffer, allowing it to get the content of all notifications on the infected device, and a RAT (Remote Access Trojan) feature (by abusing the TeamViewer application), meaning that the threat actors can perform the fraud from the victim’s device.
The complete list of features of Alien is as follows:
- Overlaying: Dynamic (Local injects obtained from C2)
- Keylogging
- Remote access
- SMS harvesting: SMS listing
- SMS harvesting: SMS forwarding
- Device info collection
- Contact list collection
- Application listing
- Location collection
- Overlaying: Targets list update
- SMS: Sending
- Calls: USSD request making
- Calls: Call forwarding
- Remote actions: App installing
- Remote actions: App starting
- Remote actions: App removal
- Remote actions: Showing arbitrary web pages
- Remote actions: Screen-locking
- Notifications: Push notifications
- C2 Resilience: Auxiliary C2 list
- Self-protection: Hiding the App icon
- Self-protection: Preventing removal
- Self-protection: Emulation-detection
- Architecture: Modular
A new trend?
2020 shows interesting changes to the mobile threat landscape, not only is there an increase in the number of new Android banking Trojans, many of them also bring innovative features.
More and more Trojans embed features that enable the criminals to take remote control of the infected device (RAT) – like the Alien Trojan itself – in order to perform the fraud from the victim’s device.
As the researchers pointed out there’s an interest from actors in recording and stealing more information surrounding the victim. How that information will be used or monetized can vary, it is just a matter of time before actors find out about the value of such information.
“In the case of Alien, advanced features such as the authenticator-code stealer and notifications-sniffer aside, the features of the Trojan are quite common”, they reported in the blog.
But one thing is for sure, we are looking at a new rising threat superstar!