Android Banking Trojan Xbot Is Also Ransomware

Uploaded on 2016-02-29 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Financial

A botnet is a number of  internet connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives. This example illustrates how a botnet is created and used to send spam email.

A new kind of Android malware steals online banking credentials and can hold a device's files hostage in exchange for a ransom, delivering a particularly nasty one-two punch.

The malware, called Xbot, is not widespread yet and appears to be just targeting devices in Australia and Russia, wrote researchers with Palo Alto Networks in a blog post recently.

But they believe whomever is behind Xbot may try to expand its target base. "As the author appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow," Palo Alto wrote.

Xbot uses a technique called activity hijacking to carry out attacks aimed at stealing online banking and personal details.

It essentially allows the malware to launch a different action when someone tries to launch an application. Users are unaware that they're actually using the wrong program or function.

Activity hijacking take advantage of features in Android versions prior to 5.0. Google has since developed defenses against it, so only older devices or those that have not been updated would be affected.

In one type of attack, Xbot monitors the app a user has launched. If it is a particular online banking app, Xbot intervenes and displays an interface that obscures the real app.

The bogus interface is actually downloaded from a command-and-control server and displayed using WebView, Palo Alto wrote. The legitimate applications are not actually tampered with.

"So far we’ve found seven different faked interfaces," Palo Alto wrote. "We identified six of them – they’re imitating apps for some of the most popular banks in Australia. The interfaces are very similar to these banks’ official apps’ login interfaces. If a victim fills out the form, the bank account number, password, and security tokens will be sent," to the command-and-control server.

Xbot can also bring up an interface through WebView saying the device has been infected with CryptoLocker, a well-known ransomware program. Ransomware encrypts files and then asks for payment for the decryption key. In this case, the attackers ask for $100 to be paid through a spoofed PayPal site.

Xbot will actually encrypt files on the device's external storage. However, the encryption algorithm used is weak, and it would be possible to recover the files, Palo Alto wrote.

Xbot can also scrape the phone for personal data, such as contacts, SMSes and phone numbers and send the data to the attackers.

Computerword

 

 

« IT Spending Predicted To Slow
PWC On The Hunt For 1,000 Data Scientists »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Exploit Database (EDB)

Exploit Database (EDB)

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.

IEEE Computer Society

IEEE Computer Society

The IEEE Computer Society is the world's leading membership organization dedicated to computer science and technology.

CloudSigma

CloudSigma

CloudSigma, a pure-cloud IaaS provider offers flexible and innovative cloud hosting solutions for companies of all sizes both in Europe and the US.

Resilient Information Systems Security (RISS)

Resilient Information Systems Security (RISS)

RISS is a research group is in the Department of Computing at Imperial College London.

Adeptis Group

Adeptis Group

Adeptis are experts in cyber security recruitment, providing bespoke staffing solutions to safeguard your organisation against ever-changing cyber threats.

TCN

TCN

TCN is an advanced System Integrator and Infrastructure Company in Albania.

Cycode

Cycode

Cycode is the industry’s first source code control, detection, and response platform.

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

Sabat Group

Sabat Group

Sabat Group provide relationship-driven information security & cyber security recruiting services.

Absa Cybersecurity Academy

Absa Cybersecurity Academy

Absa Cybersecurity Academy is an initiative aimed at empowering marginalised South African youths to become certified cybersecurity specialists.

RNTrust

RNTrust

RNTrust provide solutions to meet today’s digital challenges utilizing digital technologies and services to make you more secured in digitally connected environment.

SandboxAQ

SandboxAQ

SandboxAQ is an enterprise SaaS company combining AI + Quantum tech to solve hard problems impacting society.

CySecK

CySecK

CySecK is a Centre of Excellence in Cybersecurity formed in 2017 by the Government of Karnataka, as part of the Technology Innovation Strategy.

Cyera

Cyera

Cyera is the data security company that gives businesses context and control over their most valuable asset: data.

NetApp

NetApp

The NetApp portfolio includes intelligent cloud services, data services, and storage infrastructure that helps organizations manage applications and data everywhere across hybrid cloud environments.

Atlas Cloud

Atlas Cloud

Atlas Cloud is a UK-wide provider of managed services based in Newcastle. Our ‘research-led’ approach to IT services helps leaders make better decisions about IT for their businesses.