Alien Trojan Bypasses Two Factor Authentication
A trojan that targets banking apps have been found in Android devices. The trojan is called Alien. Alien bypasses two-factor authentication or 2FA, to steal credentials. Alien targets more than 200 mobile apps, including Bank of America and Microsoft Outlook. The malware has been used to actively target institutions worldwide, including France, Germany, Italy, Spain, and the United States. Researchers think Alien is a copy clone of Cerberus banking malware.
The Alien RAT has commonly used Android malware capabilities, including the ability to launch overlay attacks, control and steal SMS messages and steal contact lists, and keylogging. It also has several more advanced techniques, including a notification sniffer that allows it to access new updates on infected devices. This includes 2FA codes, which allows the malware to bypass 2FA security measures.
Alien leverages the android.permission.BIND_NOTIFICATION_LISTENER_SERVICE to get the content of the status bar notifications on the infected device. Normally, the user would need to grant permission manually in the settings, but the malware circumvents this roadblock by using the Accessibility privileges and handles all user interactions itself. It does this using an advanced, remote access feature that abuses the TeamViewer application, giving the hackers remote control over the devices. TeamViewer is a proprietary software application used for remote control, desktop sharing and online meetings.
Cerberus first emerged last August on underground forums. At first, it was presented as a standard banking trojan. Over the past year, technical issues led the authors to end the rental service and refund active license holders. On August 10, the authors released the source code. The biggest difference between the two is Alien's 2FA stealing, which Cerberus lacked. Another unique feature of Alien is its RAT capability, which is implemented separately from the main command handler, using different command-and-control (C2) endpoints.
Researchers point to this link between Cerberus and Alien as a trend to continue to look out for. Researchers predict more new malware families, based on Cerberus, will be found in the future. The number of new banking trojans will continue to grow, many embedding new and improved features will be added. Banking trojans have been evolving with new and improved features to increase the success rate of fraud recently. Financial institutions and users using Banking applications are recommended to assess their current and future threats.