Alien Invades Android Phones

Calm down. I’m not suggesting that an intergalactic visitor is taking over your phones. I’m suggesting something far worse. Alien is a new banking Trojan that can, among other things, bypass two-factor authentication (2fa) to get control of your bank account. Not only that, but any would-be hacker can rent this malware to use as they see fit. So, in the end, it would have been far better if an alien had just stolen your phone.

Alien arrived from Cerberus. Cerberus was a previous incarnation of banking malware that had big plans as a malware-as-a-service (MaaS) platform. Most of such malware inherits characteristics from its predecessors. That makes each new generation easier to produce, as they simply tweak the code, but it also subjects it to easier detection by antivirus software. However, Cerberus bragged that it was a completely new malware which did not have any connection to previous banking Trojans. If this was true, renting it could be a profitable criminal enterprise.

Banking Trojan Ancestry

But this unique malware did not come cheap. Those wanting to rent it would be charged $2000 a month or $12000 a year, which is somewhat expensive as banking malware rentals go. And then came the bad news, at least for its developers. Google Play (Google Play Protect) detected the malware rather quickly. Unfortunately for the developers, the main vector for the installation of Cerberus would be through infected apps on Google Play. Thus, when these infected apps were easily detected, there were a lot of unhappy Cerberus customers. In the end, the developers had to repay them. They then tried to sell the Cerberus code, but, apparently, no one was interested. They were finally forced to release the code to the general public in August.

Although Cerberus was basically a failure, some users continued to work with it, trying to adjust its code to avoid detection by Google Play. Eventually, a new Cerberus-related MaaS trojan appeared in January, 2020. This malware slowly grew in stature among cyber criminals. It would come to be known as, ‘Alien’. Alien is a RAT, and, like any good RAT (Remote Access Trojan), it can do a wide range of sinister things. Here are only a few.

  • SMS: Sending
  • App installing
  • App starting
  • App removal
  • Showing arbitrary web pages
  • Screen-locking
  • Hiding the App icon
  • Preventing removal
  • Contact list collection

An interesting aspect of Alien is that it uses its ability to install apps to install TeamViewer, a legitimate program to remotely control computers or other devices. Although TeamViewer is installed, the criminals wait for the user to supply sign-in credentials for it before activating it. When the user/victim supplies the credentials, the criminal steals them and uses them to sign in and take remote control over their device (phone, tablet). They can now use the device as if they owned it, because, in a sense, they do. Then, as all banking trojans do, they can simply wait for the victim to log into their bank account (or any other account for that matter) and steal their credentials.

The malware is able to interfere with any two-factor authentication protocol that banks provide by abusing the

android.permission.BIND_NOTIFICATION_LISTENER_SERVICE  

permission. The criminals override any notifications, such as those that contain 2fa, and have them sent to the criminal’s server instead of to the device of the victim’s choice. They do this by abusing Accessibility privileges in a way that I have previously written on.

Alien comes pre-programmed with a number of targeted apps. Here are just a few of the more well known apps it can take control of:

Microsoft Outlook, Bank of America Mobile Banking, Capital One Mobile, Wells Fargo Mobile, Google Play, Facebook, WhatsApp Messenger, Snapchat, Twitter, Instagram, and Skype.

The renter of the malware also has the option of adding any other target they may be interested in.

Alien is just getting established in the criminal community. It seems to be in a testing stage in Europe and is just beginning its invasion of the U.S. Despite it’s relative youth, Threat Fabric claims that Alien  “has become the prominent new MaaS for fraudsters”.

Android devices are particularly susceptible to overlay malware attacks like those launched by Alien. The main vector for these attacks are through apps on Google Play or phishing scams. These infected apps are not easy to detect. This DHL app on Google Play seems to be suspicious and asks for some unusual permission. And since Alien

  has used fake DHL apps in the past…

As the holiday season approaches, such attacks are bound to increase. Everyone needs to be sure of the quality of the apps they install. Read the reviews before you install any app. The app above was roundly criticized, yet, 5000 people installed it. Check for unusual permissions. Be careful of emails that send you to sites that require a download or require you to fill out a form. Beware of attachments in emails from questionable sources. If your bank requires 2fa but you don’t receive it, someone else may have. Unfortunately, they may seize control of your bank account by the time you figure this out. Yet, with all of this said there will still be victims. Try not to be one of them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s