The Recent discoveries of dangerous variants of the Android banking Trojan families, including Faketoken, Svpeng, and BankBot, present a significant threat to online users who may have their login credentials and valuable personal data stolen.
Security researchers from SfyLabs have now discovered a new Android banking Trojan that is being rented on many dark websites for $500 per month, SfyLabs’ researcher Han Sahin told The Hacker News.
Dubbed Red Alert 2.0, the Android banking malware has been fully written from scratch, unlike other banking trojans, such as BankBot and ExoBot, which were evolved from the leaked source code of older trojans.
The Red Alert banking malware has been distributed via many online hacking forums since last few months, and its creators have continuously been updating the malware to add new functionalities in an effort to make it a dangerous threat to potential victims.
Malware Blocks Incoming Calls from Banks
Like most other Android banking trojans, Red Alert has a large number of capabilities such as stealing login credentials, hijacking SMS messages, displaying an overlay on the top of legitimate apps, contact list harvesting, among others.
Besides this, Red Alert actors have also added an interesting functionality to its malware, like blocking and logging all incoming calls associated with banks and financial associations.
This would potentially allow the Red Alert malware to prevent warnings of a compromised account to be received by the victims from their associated banks.
Malware Uses Twitter As Backup C&C Infrastructure
Another most interesting thing about Red Alert 2.0 is that it uses Twitter to prevent losing bots when its command and control server is knocked offline.
“When the bot fails to connect to the hardcoded C2 it will retrieve a new C2 from a Twitter account,” SfyLabs researchers said in a blog post.
“This is something we have seen in the desktop banking malware world before, but the first time we see it happening in an Android banking trojan.”
The Red Alert 2.0 is currently targeting victims from more than 60 banks and social media apps across the world and works on Android 6.0 (Marshmallow) and previous versions.
Here’s How the Red Alert 2.0 Trojan Works:
Once installed on victim’s phone via the third-party app store, the malware waits for the victim to open a banking or social media app, whose interface it can simulate, and once detected, the Trojan immediately overlays the original app with a fake user interface.
The fake interface then informs the victim that there is an error while logging the user in and requests the user to re-authenticate his/her account.
As soon as the user enters the credentials into the fake user interface, Red Alert records them and sends them to the attacker-controlled command and control (C&C) server to be used by the attackers to hijack the account.
In case of banking apps, the recorded information is being used by attackers to initiate fraudulent transactions and drain the victim’s bank account.
Since Red Alert 2.0 can also intercept SMS text messages received by the infected smartphone, the trojan could work around two-factor authentication techniques that otherwise are designed to throttle such attacks.
Ways to Protect Yourself Against Such Android Banking Trojans
The easiest way to prevent yourself from being a victim of one such mobile banking Trojan is to avoid downloading apps via third-party app stores or links provided in SMS messages or emails.
Just to be on the safer side, go to Settings → Security and make sure “Unknown sources” option is turned off on your Android device that blocks installation of apps from unknown sources.
Most importantly, verify app permissions before installing any app, even from official Google Play Store, and if you find any application asking more than what it is meant for, just do not install it.
It is always a good idea to install an anti-virus app from a reputed vendor that can detect and block such Trojan before it can infect your device.
Also, always keep your system and apps up-to-date.