Android Banking Trojan Xbot Is Also Ransomware

Uploaded on 2016-02-29 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Financial

A botnet is a number of  internet connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives. This example illustrates how a botnet is created and used to send spam email.

A new kind of Android malware steals online banking credentials and can hold a device's files hostage in exchange for a ransom, delivering a particularly nasty one-two punch.

The malware, called Xbot, is not widespread yet and appears to be just targeting devices in Australia and Russia, wrote researchers with Palo Alto Networks in a blog post recently.

But they believe whomever is behind Xbot may try to expand its target base. "As the author appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow," Palo Alto wrote.

Xbot uses a technique called activity hijacking to carry out attacks aimed at stealing online banking and personal details.

It essentially allows the malware to launch a different action when someone tries to launch an application. Users are unaware that they're actually using the wrong program or function.

Activity hijacking take advantage of features in Android versions prior to 5.0. Google has since developed defenses against it, so only older devices or those that have not been updated would be affected.

In one type of attack, Xbot monitors the app a user has launched. If it is a particular online banking app, Xbot intervenes and displays an interface that obscures the real app.

The bogus interface is actually downloaded from a command-and-control server and displayed using WebView, Palo Alto wrote. The legitimate applications are not actually tampered with.

"So far we’ve found seven different faked interfaces," Palo Alto wrote. "We identified six of them – they’re imitating apps for some of the most popular banks in Australia. The interfaces are very similar to these banks’ official apps’ login interfaces. If a victim fills out the form, the bank account number, password, and security tokens will be sent," to the command-and-control server.

Xbot can also bring up an interface through WebView saying the device has been infected with CryptoLocker, a well-known ransomware program. Ransomware encrypts files and then asks for payment for the decryption key. In this case, the attackers ask for $100 to be paid through a spoofed PayPal site.

Xbot will actually encrypt files on the device's external storage. However, the encryption algorithm used is weak, and it would be possible to recover the files, Palo Alto wrote.

Xbot can also scrape the phone for personal data, such as contacts, SMSes and phone numbers and send the data to the attackers.

Computerword

 

 

« IT Spending Predicted To Slow
PWC On The Hunt For 1,000 Data Scientists »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Deductive Labs

Deductive Labs

Deductive Labs consulting services help customers with their technology, security and automation challenges.

Seqrite

Seqrite

Seqrite offers a highly advanced range of enterprise and IT security solutions to protect your organization's most critical data.

Cryptshare

Cryptshare

Cryptshare is a communication solution that enables you to share e-mails and files of any size securely.

Titans24

Titans24

Titans24 is a Software-as-a-Service security platform for web applications. It prevents attacks on business websites that are protected under 11 cyber-security layers.

Infosequre

Infosequre

Infosequre builds up your security awareness culture and turns your employees into the first line of defense against cyber risks.

DKBInnovative

DKBInnovative

DKBinnovative is a best-practice driven IT management firm that provides secure, reliable IT solutions to productivity-focused clients around the globe.

CyberNet Albania

CyberNet Albania

Cybernet Albania has been providing IT support and services to small businesses since 2016. We strive to eliminate your IT issues before they cause downtime and impact your operations.

Senteon

Senteon

Senteon is a turnkey cybersecurity platform designed to make securing confidential data affordable, understandable, and streamlined for small-to-mid sized businesses and MSPs.

Hub71

Hub71

Hub71 is a world-class tech ecosystem opening doors to global opportunities from an optimal business environment for entrepreneurial-minded innovators.

Dope Security

Dope Security

Dope Security is a fly-direct Secure Web Gateway that eliminates the data center stopover architecture required by legacy providers, instead performing security directly on the endpoint.

ShellBoxes

ShellBoxes

ShellBoxes are a leading Web3 company focused on providing top-notch blockchain security and development services.

AgilePQ

AgilePQ

AgilePQ visibly secures IoT devices worldwide to protect the privacy, safety, and well-being of all people.

Spec

Spec

Spec is the only no-code orchestration platform that protects enterprise fraud defenses from being blocked, bypassed, and manipulated by modern attack tactics.

Dynamic Networks

Dynamic Networks

Dynamic Networks provide Managed Cloud Services; Unified Communications; Security & Compliance Services and Network & Infrastructure Services for both Public Sector and Private sector businesses.

Intellinexus

Intellinexus

Intellinexus turns data into actionable insights to revolutionise decision-making in your business.

Standard Notes

Standard Notes

Standard Notes is a secure digital notes app that protects your notes and files with audited, industry-leading end-to-end encryption.