Security experts at Palo Alto have just found out that a brand new kind of Android malware steals online banking credentials and can hold a device’s files hostage in exchange for a ransom, delivering a particularly nasty one-two punch. The new malware is named Xbot and is not widespread yet.
According to the specialists, Xbot is currently targeting devices in Australia and Russia. However, they think that the hackers behind Xbot may try to expand its target base in the nearest future.
“As the author appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow,” Palo Alto expert said.
The techniques used by Xbot is called activity hijacking to carry out attacks aimed at stealing online banking and personal details. It lets the malware launch a different action every time when someone tries to launch an application. At the same time, users have not a clue that they’re using the wrong program or function.
The technique called “Activity hijacking” takes advantage of features in Android versions prior to 5.0. However, due to the fact that Google has developed defenses against it, only older devices or those that have not been updated would be affected.
During one type of attack, Xbot malware monitors the application launched by the user. In case it is a particular online banking app, Xbot intervenes and displays an interface which obscures the real application.
According Palo Alto’s specialists, the bogus interface is downloaded from a command-and-control server and displayed using WebView. The legitimate applications are not actually tampered with.
“So far we’ve found seven different faked interfaces,” they stated.
“We identified six of them – they’re imitating apps for some of the most popular banks in Australia. The interfaces are very similar to these banks’ official apps’ login interfaces. If a victim fills out the form, the bank account number, password, and security tokens will be sent, to the command-and-control server“.
Apart from this fact, Xbot can bring up an interface through WebView stating the device has been infected with the well-known ransomware program CryptoLocker.
The ransomware encrypts files first, and then asks for payment for the decryption key. In the above-mentioned case, the cyber criminals ask for US$100 to be paid through a spoofed PayPal website.
What Xbot does is encrypting files on the device’s external storage. Nevertheless, the encryption algorithm used is weak, and it would be possible to recover the files, Palo Alto explains.
In addition, Xbot can scrape the phone for personal data, such as contacts, SMSes and phone numbers and send the data to the hackers.