Cybersecurity researchers discovered a new malware that’s wreaking havoc on Android devices worldwide. Named Alien, this malicious software has been circulating as a Malware-as-a-Service (MaaS) offering in underground hacking forums since the beginning of the year. It can steal credentials from 226 apps thanks to a broad collection of features and tricks. ThreatFabric experts who found the trojan revealed that it is not entirely new. Instead, it is based on Cerberus, the most successful MaaS on Android last year.
Despite being widely active, Cerberus faded away after technical issues arose. These problems remained unresolved until Google Play Protect managed to detect and eliminate all the related malware samples. As a result, the trojan’s owner tried to sell the service, along with the customer portfolio. But after no one bought the source code, not to mention several complaints from customers, the Cerberus actor eventually decided to end the rental service, share the source code with the administrator, and refund the customers.
And although the Cerberus source code became publicly available, there weren’t any noticeable increases in attacks. That’s mostly because Google Play Protect can detect the malware as soon as it’s installed on an Android device. Therefore, hackers and cybercriminals must change the code so that no one can spot it. But since its demise, there hasn’t been any sighting of large-scale attacks. Nonetheless, some researchers still report active Cerberus campaigns. And according to ThreatFabric, these can be allocated to a fork of Cerberus called “Alien.”
New Player in Town
The Alien source code may be based on the Cerberus malware, but researchers have warned that the new trojan has none of its weaknesses. In fact, it is even more advanced and much more dangerous than its predecessor. In other words, it is not your average Android banking trojan. It features common capabilities with other malware, like SMS harvesting, overlaying, and contact list collection. But in addition to all that, Alien has some advanced features. For instance, its keylogger (program to record every keystroke on the keyboard) can be used for any purpose, thus expanding the scope of the attack. It allows hackers to steal credentials on multiple platforms.
Furthermore, it can install, launch, and remove apps without user knowledge or permission through remote access trojans (RATs). It also has a notification sniffer, allowing it to receive the content of every app notification on the infected device. Alien can even intercept two-factor authentication (2FA) codes, since it can access victims’ SMS messages and emails. ThreatFabric researchers also revealed that the malware displayed fake login pages for 226 Android apps, mostly banking services, and financial institutions. However, applications of different nature were targets as well, such as Gmail, WhatsApp, Facebook, and Twitter.
“A lot of it seems distributed via phishing sites, for example, malicious page tricking the victims into downloading fake software updates or fake Corona apps,” ThreatFabric malware analyst Gaetan van Diemen, told ZDNet. You can check out the full fake apps list in ThreatFabric’s report.
As most businesses are shifting to the digital realm due to the COVID-19 pandemic, cyberattacks continue to surge. TheVPN.Guru offers online security and privacy tips, as well as how-to guides and reviews of popular anonymity tools like VPNs.