For over a decade, computer users have been plagued by malicious programs designed to steal their online banking credentials and initiate fraudulent transactions from their accounts. As mobile banking gained more adoption over the years, these programs followed the trend and jumped from computers to smartphones. One of the most widely used Android banking Trojans was abandoned by its creators last month, but the gap left in the cybercrime ecosystem is rapidly being filled by an even more potent one dubbed Alien.
“Not only is there an increase in the number of new Android banking Trojans, many of them also bring innovative features,” researchers from cybercrime intelligence firm ThreatFabric said in a recent report. “More and more Trojans embed features that enable the criminals to take remote control of the infected device (RAT) — like the Alien Trojan itself — in order to perform the fraud from the victim’s device. We also notice an interest from actors in recording and stealing more information surrounding the victim. How that information will be used or monetized can vary; it is just a matter of time before actors find out about the value of such information.”
The death of Cerberus
Since 2014, several Android banking Trojans dominated the mobile threat landscape for various lengths of time. It started with the GM Bot and continued with Marcher, Exobot, Red Alert, Anubis and finally Cerberus, which appeared in 2019 and quickly rose to prominence. Most of these Trojans followed a malware-as-a-service model, where their creators marketed and rented out access to their Trojans and infrastructure to other cybercriminals.
Cerberus was successful and had a long list of features including the ability to display rogue screens over other apps (dynamic overlays), keylogging, SMS harvesting and sending, call forwarding, contact list stealing, device and app information collection, app installation and removal, and screen locking. The Trojan was designed to target seven French banking apps, seven US banking apps, one Japanese banking app and 15 non-banking apps.
A main selling points for such Trojans is the creator’s ability to find new ways of evading Play Protect, Google’s malware detection service that’s built into Android devices that have the Google Play store installed. The Cerberus authors didn’t do a great job and a few months ago, Play Protect was updated with the ability to detect and remove all Cerberus samples from Android devices. This made many cybercriminals who paid for and were using Cerberus unhappy.
According to ThreatFabric, driven by shortcomings in his technical team, the Cerberus author was unable to address many of the issues his paying customers had with the malware, so he attempted to sell off the entire project. This was unsuccessful, so in August he shared the source code with the administrator of a cybercrime forum and the source code was publicly leaked shortly after. This marked the death of Cerberus’s business and operations, and its development has since been abandoned.
The rise of Alien
With Cerberus out of the picture, researchers from ThreatFabric have seen more of its former customers migrate to another Android banking trojan called Alien that packs even more features than Cerberus. Alien has been around since January, but in the beginning it managed to fly under the radar because it’s actually based on Cerberus’ code base and could easily be mistaken for a variant of the latter. In fact, the authors of Cerberus at the time were announcing on cybercrime forums that a new major version of the Trojan was in development.
In fact, the difference between Cerberus and Alien, whose name was not yet clear in the beginning, was that Alien had a remote-control module that abused the TeamViewer component pre-installed on some Android phones. This gave cybercriminals the ability to perform fraudulent transactions directly from their victims’ devices.
In the weeks that followed it became clear that Alien was being run by a separate group of people than Cerberus, as they were advertising it separately and even clashed with the Cerberus team on forums at some point. The Alien developers started adding even more features, like a module to steal two-factor authentication (2FA) codes from the Google Authenticator app, a functionality that the Cerberus team also added in May when they released their version 2, which didn’t add any other major features.
It’s common for spin-offs to be developed based on a popular malware program after its source code is released or leaked. However, Cerberus’ source code was leaked in August and Alien has been around since January, which begs the question: How did the Alien developers gain access to the source code so long in advance?
The ThreatFabric researchers speculate that some of the developers behind Cerberus left the project, taking the source code with them as well as the unreleased 2FA code stealing module, and started a competing business that became Alien. “Based on our in-depth knowledge of the Trojan (available in our Mobile Threat Intelligence portal), we can prove that the Alien malware is a fork of the initial variant of Cerberus (v1), active since early January 2020 and rented out at the same time as Cerberus,” the researchers said. “Cerberus being discontinued, its customers seem to be switching to Alien, which has become the prominent new MaaS for fraudsters.”
How the Alien malware works
Alien, like many other Android banking Trojans, is sold as a service. Cybercriminals who pay for it get access to a builder that they can use to generate a customized APK (Android application package) based on their settings. They can then choose how to distribute that APK to potential victims, usually through SMS and email spam messages. In fact, some of the early Alien samples found and analyzed by researchers had the name Coronavirus, suggesting the attackers were piggybacking on the COVID-19 pandemic to spread it. Sometimes, cybercriminals also manage to bypass Google Play’s defenses and upload such malware in the official app store masquerading as legitimate applications, so telling users to simply not install applications from unknown sources does not guarantee protection.
During installation, the Trojan asks for Accessibility privileges. This is a special feature in Android meant to be used by accessibility apps and carries a lot of power including the ability to read the screen of other apps, control the UI by simulating taps, and more. Alien uses this privilege to install TeamViewer, a popular remote-control application that many Android phone manufacturers and device models support by default. It then configures TeamViewer with hardcoded credentials that attackers can use to connect to the device and access banking apps to perform fraudulent transactions.
Another feature that sets Alien apart is its ability to monitor system notifications from other apps and send their content to the command-and-control server. This requires an Android permission that is considered risky, so users need to manually grant it by going into the app’s settings. Alien circumvents this by using its Accessibility privileges to perform the user interface steps required to grant this permission.
The Trojan also includes all other features that Cerberus has including overlaying, keylogging, SMS listing and sending, contact list collection, 2FA code stealing, call forwarding, and location collection. Alien targets more banking and non-banking apps than Cerberus, including Gmail, Facebook, Twitter, Snapchat, Telegram and other IM apps. The targeted banking apps are from Spain, Turkey, Germany, United States, Italy, France, Poland, Australia and the United Kingdom. ThreatFabric includes a list of targeted apps in its report, but the cybercriminals who use Alien can define their own targets, so the list is likely far from complete.
“Although it is hard to predict the next steps of the Alien authors, it would be logical for them to improve the RAT, which is currently based on TeamViewer (and therefore visible when installed and executed on the device),” the researchers said. “They could also build an ATS (Automated Transaction Script) feature to automate the fraud process. What can be considered for granted is that the number of new banking Trojans will only continue growing, many embedding new and improved features to increase the success rate of fraud.”
“The last quarter of 2020 will probably come with some additional changes to the threat landscape, especially since the source code of the Cerberus Trojan has been made publicly available,” the researchers said. “In the coming months we can definitively expect some new malware families, based on Cerberus, to emerge.”
Copyright © 2020 IDG Communications, Inc.