A new Android banking Trojan called Alien was detected targeting e-banking institutions and cryptocurrency apps. The trojan also targets victims through social media phishing pages and instant messages.
Researchers at cyber intelligence company ThreatFabric published a detailed malware analysis of Alien, revealing that the malware has been active since the start of the year and has replaced the now-abandoned Cerberus project in the Malware-as-a-Service (MaaS) market.
Bye Cerberus, Hello Alien
It turns out that Alien is not an entirely new piece of malware, but a spin-off of one of the most successful banking trojans, Cerberus.
As Cerberus' developing team split off and published the threat's source code online, researchers predicted that variations of the trojan would start popping up. However, Alien is not based on the latest and leaked version of Cerberus.
Alien first appeared on the malware scene long before Cerberus' demise. The first Alien samples were spotted in January 2020 and were mistaken for new Cerberus versions because, at that time, the Cerberus team was making announcements about a soon-to-be-published second version of the threat. The mistaken identity was quickly cleared up when researchers discovered a post on an underground forum.
Figure 1: Hacker's Advert offering Alien Trojan as Malware-as-a-Service
A new threat actor started advertising their own private malware with a VNS (Virtual Network Computing) feature. It took researchers only a few weeks to confirm that the two threats were two different malware strains operated by separate groups.
The Downfall of Cerberus
In July 2020, cyber intelligence company Hudson Rock spotted Cerberus being sold at an auction. In an advertisement posted on an underground forum, the seller announced that a new owner for Cerberus is being sought out because the malware developing team was breaking up.
The starting bidding price for Cerberus' source code, administrator's panel code, and client list was set to $50,000, with the intention of doubling this amount. However, it seems that nobody bit as the threat was intentionally leaked just a month later.
The Rise Of Alien
Alien flourished while Cerberus fell from glory. In early 2020, the new malware was upgraded with a new 2FA feature that was capable of stealing secret tokens from Google's authentication app.
The changes didn't go unnoticed as in Mid-February, Alien received a positive review from a rivaling malware actor.
Figure 2: Alien Malware review on a forum.
Other features were introduced to the malware, turning Alien into a new generation malware that offers more than the average Android banking trojan.
Apart from the standard trojan capabilities, such as overlaying attack support, contact list harvesting, and SMS interception, Alien has integrated RAT capabilities, a keylogger, and a notification sniffer. According to the research, this arsenal of features allows Alien's operators to launch a broad spectrum of attacks, as well as perform fraudulent activities with the victim's device.
According to ThreatFabric's research, Alien has the following functions:
- Dynamic Overlaying (a feature that injects objects from C2)
- Remote access
- Location collection
- SMS harvesting: SMS listing and SMS forwarding
- Forward calls
- Make USSD requests
- Device info collection
- Contact list collection
- Application listing
- Steal 2FA codes generated by authentication apps
- App installing, starting, and removal
- Showing arbitrary web pages
- Remote Screen-locking
- Sniff notifications
- Auxiliary C2 list
ThreatFabric discovered that Alien had support for showing fake login pages for 226 other Android applications, including e-banking apps, Gmail, PayPal, Twitter, Snapchat, Telegram, and many others (a full list is available in the ThreatFabric report).
The majority of fake login pages targeted e-banking apps. However, social media apps, instant messaging platforms, and email clients were also included in the list.
According to the research, Alien was initially designed to target banking institutions, mainly in Spain, Turkey, Germany, the US, Italy, Poland, France, The UK, and Australia.
Figure 3: Top 15 targets for Alien
However, as Alien is offered as a MaaS threat, it could be picked up by criminals with other plans, potentially expanding the target list.
Alien is a malware threat that exhibits the capabilities of a banking trojan along with RAT features that set new malware standards.
Researchers warn that Alien infections are very dangerous as this threat harvests information that can be used or monetized in many different ways, potentially causing unprecedented damage.
With Alien being popular on the underground forums and Cerberus being made public, researchers expect that the last quarter of 2020 will bring changes to the threat landscape.
"In the coming months we can definitively expect some new malware families, based on Cerberus, to emerge," ThreatFabric says
Therefore, all financial institutions must take a more in-depth look at their current and future threat exposure and invest in better customer protection.
"The most important aspect to take care of is securing the online banking channels, making fraud hard to perform, discouraging criminals to attempt the attacks and making it less useful for them to build more malware," ThreatFabric advised.