The Recent discoveries of dangerous variants of the Android banking Trojan families, including Faketoken, Svpeng, and BankBot, present a significant threat to online users who may have their login credentials and valuable personal data stolen.
Security researchers from SfyLabs have now discovered
a new Android banking Trojan that is being rented on many dark websites
for $500 per month, SfyLabs' researcher Han Sahin told The Hacker News.
Dubbed Red Alert 2.0, the Android banking malware has been fully written from scratch, unlike other banking trojans, such as BankBot and ExoBot, which were evolved from the leaked source code of older trojans.
The Red Alert banking malware has been
distributed via many online hacking forums since last few months, and
its creators have continuously been updating the malware to add new
functionalities in an effort to make it a dangerous threat to potential
victims.
Malware Blocks Incoming Calls from Banks
Like most other Android banking trojans, Red Alert has a large number of
capabilities such as stealing login credentials, hijacking SMS
messages, displaying an overlay on the top of legitimate apps, contact
list harvesting, among others.
Besides this, Red Alert actors have also added an interesting
functionality to its malware, like blocking and logging all incoming
calls associated with banks and financial associations.
This would potentially allow the Red Alert malware to prevent warnings
of a compromised account to be received by the victims from their
associated banks.
Malware Uses Twitter As Backup C&C Infrastructure
Another most interesting thing about Red
Alert 2.0 is that it uses Twitter to prevent losing bots when its
command and control server is knocked offline.
"When the bot fails to connect to the hardcoded C2 it will retrieve a
new C2 from a Twitter account," SfyLabs researchers said in a blog
post.
"This is something we have seen in the desktop banking malware world
before, but the first time we see it happening in an Android banking
trojan."
The Red Alert 2.0 is currently targeting victims from more than 60 banks
and social media apps across the world and works on Android 6.0
(Marshmallow) and previous versions.
Here's How the Red Alert 2.0 Trojan Works:
Once installed on victim's phone via the third-party app store, the
malware waits for the victim to open a banking or social media app,
whose interface it can simulate, and once detected, the Trojan
immediately overlays the original app with a fake user interface.
The fake interface then informs the
victim that there is an error while logging the user in and requests the
user to re-authenticate his/her account.
As soon as the user enters the credentials into the fake user interface,
Red Alert records them and sends them to the attacker-controlled
command and control (C&C) server to be used by the attackers to
hijack the account.
In case of banking apps, the recorded information is being used by
attackers to initiate fraudulent transactions and drain the victim's
bank account.
Since Red Alert 2.0 can also intercept SMS text messages received by the
infected smartphone, the trojan could work around two-factor
authentication techniques that otherwise are designed to throttle such
attacks.
Ways to Protect Yourself Against Such Android Banking Trojans
The easiest way to prevent yourself from being a victim of one such mobile banking Trojan is to avoid downloading apps via third-party app stores or links provided in SMS messages or emails.
Just to be on the safer side, go to Settings → Security and make sure
"Unknown sources" option is turned off on your Android device that
blocks installation of apps from unknown sources.
Most importantly, verify app permissions before installing any app, even
from official Google Play Store, and if you find any application asking
more than what it is meant for, just do not install it.
It is always a good idea to install an anti-virus app from a reputed
vendor that can detect and block such Trojan before it can infect your
device.
Also, always keep your system and apps up-to-date.
good blog.
ReplyDeleteCISCO Video Conferencing
Aruba Wireless Access Points