Android Banking Trojan Xbot Is Also Ransomware

A botnet is a number of  internet connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives. This example illustrates how a botnet is created and used to send spam email.

A new kind of Android malware steals online banking credentials and can hold a device's files hostage in exchange for a ransom, delivering a particularly nasty one-two punch.

The malware, called Xbot, is not widespread yet and appears to be just targeting devices in Australia and Russia, wrote researchers with Palo Alto Networks in a blog post recently.

But they believe whomever is behind Xbot may try to expand its target base. "As the author appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow," Palo Alto wrote.

Xbot uses a technique called activity hijacking to carry out attacks aimed at stealing online banking and personal details.

It essentially allows the malware to launch a different action when someone tries to launch an application. Users are unaware that they're actually using the wrong program or function.

Activity hijacking take advantage of features in Android versions prior to 5.0. Google has since developed defenses against it, so only older devices or those that have not been updated would be affected.

In one type of attack, Xbot monitors the app a user has launched. If it is a particular online banking app, Xbot intervenes and displays an interface that obscures the real app.

The bogus interface is actually downloaded from a command-and-control server and displayed using WebView, Palo Alto wrote. The legitimate applications are not actually tampered with.

"So far we’ve found seven different faked interfaces," Palo Alto wrote. "We identified six of them – they’re imitating apps for some of the most popular banks in Australia. The interfaces are very similar to these banks’ official apps’ login interfaces. If a victim fills out the form, the bank account number, password, and security tokens will be sent," to the command-and-control server.

Xbot can also bring up an interface through WebView saying the device has been infected with CryptoLocker, a well-known ransomware program. Ransomware encrypts files and then asks for payment for the decryption key. In this case, the attackers ask for $100 to be paid through a spoofed PayPal site.

Xbot will actually encrypt files on the device's external storage. However, the encryption algorithm used is weak, and it would be possible to recover the files, Palo Alto wrote.

Xbot can also scrape the phone for personal data, such as contacts, SMSes and phone numbers and send the data to the attackers.

Computerword

 

 

« IT Spending Predicted To Slow
PWC On The Hunt For 1,000 Data Scientists »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

FIRST Conference

FIRST Conference

Annual conference organised by the Forum of Incident Response and Security Teams (FIRST), a recognized global leader in computer incident response.

ControlScan

ControlScan

ControlScan is a Managed Security Services Provider (MSSP) - our primary focus is protecting your business and securing your sensitive data.

Muninn

Muninn

At Muninn (aka Wehowsky), we specialize in mitigating potential risks within your network, providing one of the leading network detection and response (NDR) solutions on the market.

Nexusguard

Nexusguard

Nexusguard is at the forefront of the fight against malicious Internet attacks, protecting organizations worldwide from threats to their websites, services, and reputations.

OnSystem Logic

OnSystem Logic

OnSystem Logic has developed a unique, patent-pending solution to solve the problem of the exploitation of flaws in application software as a technique for cyber attacks.

Bottomline Technologies

Bottomline Technologies

Bottomline Technologies is an innovator in business payment automation technology, helping companies make complex business payments simple, smart and secure.

Neupart

Neupart

Neupart provides Information Security Management System, Secure ISMS, allowing organisations to automate IT Governance, Risk and Compliance management.

DataArt

DataArt

DataArt is a global technology consultancy that designs, develops and supports unique software solutions. Areas of activity include software security testing.

Tempest

Tempest

TEMPEST is a leading provider of IT products and services including solutions for network and application security.

Titans24

Titans24

Titans24 is a Software-as-a-Service security platform for web applications. It prevents attacks on business websites that are protected under 11 cyber-security layers.

Splone

Splone

Splone is a Berlin-based IT security research team and consultancy. We help improve IT-security by offering red team assements, penetration tests, audits and customized consulting.

FireCompass

FireCompass

FireCompass SAAS platform helps CISOs & Security Teams in continuous risk assessment by mapping your attack surface and knowing the “unknown unknowns”.

Privacyware

Privacyware

Privacyware's ThreatSentry combines a state-of-the-art Web Application Firewall and port-level firewall with advanced behavioral filtering to block unwanted IIS traffic and web application threats.

Etonwood

Etonwood

Etonwood specialises in infrastructure and vendor technology recruitment in areas including cloud platforms, cyber security and service management.

BlackDice Cyber

BlackDice Cyber

Threat Intelligence is only part of the solution. Our solution matches threats to vulnerabilities and automatically takes remedial action against compromised apps, devices and websites.

Koop

Koop

Koop’s trust management platform helps navigate the complexities of regulatory compliance, security reviews, and liability insurance in a single place.