Alien Android Banking Trojan Sidesteps 2FA

alien cerberus banking malware

A new ‘fork’ of the Cerberus banking trojan, called Alien, targets victims’ credentials from more than 200 mobile apps, including Bank of America and Microsoft Outlook.

A newly uncovered banking trojan called Alien is invading Android devices worldwide, using an advanced ability to bypass two-factor authentication (2FA) security measures to steal victim credentials.

Once it has infected a device, the RAT aims to steal passwords from at least 226 mobile applications – including banking apps like Bank of America Mobile Banking and Capital One Mobile, as well as a slew of collaboration and social apps like Snapchat, Telegram and Microsoft Outlook.

The malware, which was first advertised for rent on underground forums in January, has been used to actively target institutions worldwide, including Australia, France, Germany, Italy, Poland, Spain, Turkey, the U.K. and the United States. Researchers believe Alien is a “fork” of the infamous Cerberus banking malware, which has undergone a steady demise in use over the past year.

“Based on our in-depth knowledge of the trojan, we can prove that the Alien malware is a fork of the initial variant of Cerberus (v1), active since early January 2020 and rented out at the same time as Cerberus,” said researchers with ThreatFabric, in a Thursday analysis. “Cerberus being discontinued, its customers seem to be switching to Alien, which has become the prominent new MaaS [malware as a service] for fraudsters.”

Alien Malware

The Alien RAT has various commonly used Android malware capabilities, including the ability to launch overlay attacks, control and steal SMS messages and harvest contact lists – as well as keylogging, location-collecting and other capabilities.

However, it also touts several more advanced techniques, including a notification sniffer that allows it to access all new updates on infected devices. This includes 2FA codes – allowing the malware to bypass 2FA security measures.

Alien leverages this tactic by abusing the “android.permission.BIND_NOTIFICATION_LISTENER_SERVICE” to get the content of status bar notifications on the infected device. While normally the user would need to grant this permission manually in the settings, the malware circumvents this roadblock by using the Accessibility privileges on Android devices, performing all necessary user interactions by itself.

Alien Cerberus banking malware

Countries targeted by Alien malware. Click to enlarge. Credit: ThreatFabric

It does this using an advanced remote access feature that abuses the TeamViewer application, giving the bad actor behind the malware remote control over the victim’s devices. TeamViewer is a proprietary software application used for remote control, desktop sharing and online meetings.

“When TeamViewer is successfully activated, it provides the actors with full remote control of the device’s user interface, enabling them to access and change device settings, install and remove apps, but also to use any app installed on the device (bank applications, messengers and social networks),” said researchers. “By monitoring the device in real-time, actors can also gain valuable insight into the user’s behavior.”

It’s unclear how Alien is initially spread, but given that the malware is being rented out, many different initial attack vector tactics can be used, including spear-phishing, distribution through third-party applications and more.

Link to Cerberus

Cerberus meanwhile first emerged last August on underground forums, offered in a MaaS rental model. At the time it was presented as a standard banking trojan. As recently as July, the malware was uncovered in a malicious Android app on the Google Play app marketplace, which had 10,000 downloads.

However, over the past year a slew of technical issues occurred that led to unhappy customers. The authors of Cerberus consequently decided to end the rental service and refund active license holders. On August 10, the malware author shared the source code of the trojan to the general public.

Alien Cerberus banking malware

The decline of Cerberus in 2020. Credit: ThreatFabric

Meanwhile, researchers said that in February they started seeing simultaneous campaigns using both trojans – however, it appeared that the new Alien malware was operated separately and was slightly different from Cerberus.

The biggest difference between the two samples is Alien’s 2FA-stealing technique, a feature that Cerberus lacked, they said. Another distinctive feature of Alien is its RAT capability, which has been implemented separately from the main command handler, using different command-and-control (C2) endpoints.

“Looking at what we know now about what happened with Cerberus and Alien, we could speculate that Cerberus was on the decline as the developers behind the trojan shifted away from the project with the original source in order to start their own,” researchers said.

Next Steps

Researchers point to this link between Cerberus and Alien as a trend in the threat landscape to continue to look out for. They predicted that more new malware families, based on Cerberus, will emerge in the last quarter of 2020. When it comes to Alien specifically, looking ahead, researchers said that they expect the malware’s authors to continually improve its remote-access functionality.

“They could also build an ATS [automatic transfer system] feature to automate the fraud process,” said researchers. “What can be considered for granted is that the number of new banking trojans will only continue growing, many embedding new and improved features to increase the success rate of fraud.”

Researchers urge all financial institutions to understand their current and future threat exposure and consequently implement the relevant detection and control mechanisms.

“The most important aspect to take care of is securing the online banking channels, making fraud hard to perform, discouraging criminals to attempt the attacks and making it less useful for them to build more malware,” they wrote.

Leave a Reply

Your email address will not be published. Required fields are marked *